« previous 1 2 3 4 5

The most important security options in php.ini

register_globals = off prevents variable assignments in HTTP queries and cookies from overwriting global program variables. This option forces scripts actively to request variables passed by user pages using separate arrays such as $_REQUEST. An attacker is therefore no longer easily able to exploit a situation where a script uses uninitialised variables, or carelessly assumes that certain global variables will take certain values.

allow_url_fopen = off ensures that PHP scripts can only load local files from the server. This is a big hurdle for many types of attack, as it makes it impossible to load scripts directly from external servers.

safe-mode = on does things such as restricting PHP processes only to be able to access files and directories belonging to the user with whose privileges the PHP processes are running. On Linux servers this is usually www-data or, where Apache modules such as mod_suexec [4] or suPHP are used, the script owner. By default, safe mode also blocks hazardous functions such as shell_exec(), however, further options are available for controlling its behaviour [5].

open_basedir = /path/to/www-folder specifies a directory outside of which PHP scripts can not open files - similar to a chroot environment. Access to sub-directories is of course permitted, but directly reading from etc/passwd, for example, and other confidential data outside of the www root, using path traversal, is then impossible.

display_errors = off can make it more difficult to prepare an attack. Some attacks, for example, require that the file system path to the web application is known. This information can be obtained from many PHP error messages. This option prevents an attacker from being able deliberately to provoke error messages.

« previous 1 2 3 4 5