Formatting code for PHPSecurity
{{parent page="PHP"}}
===PHP Security===
If possible, always set **safe_mode = On** in php.ini. Safe mode can be turned on by virtual hosts like the following
%%
<Directory /var/www/vhosts/aaa.com/htdocs>
php_admin_flag safe_mode On
</Directory>
%%
==Enabling php functions==
If running php in safe mode is not possible, you might still want to disable some of the dangerous system functions in php.ini.
%%
disable_functions = system,exec,passthru,popen,escapeshellcmd,shell_exec
%%
To illustrate that this is actually a serious problem, look at the following php file:
%%(php)
<?php exec("cd /etc ;cat passwd",$output);
foreach($output as $k=>$v) {
echo htmlspecialchars($v)."<br>\n";
}
?>
%%
I guess you don't want that. Nonetheless, exec() still read files according to system ACL. Deletion or running a script to delete another file is not allowed either.
===PHP Security===
If possible, always set **safe_mode = On** in php.ini. Safe mode can be turned on by virtual hosts like the following
%%
<Directory /var/www/vhosts/aaa.com/htdocs>
php_admin_flag safe_mode On
</Directory>
%%
==Enabling php functions==
If running php in safe mode is not possible, you might still want to disable some of the dangerous system functions in php.ini.
%%
disable_functions = system,exec,passthru,popen,escapeshellcmd,shell_exec
%%
To illustrate that this is actually a serious problem, look at the following php file:
%%(php)
<?php exec("cd /etc ;cat passwd",$output);
foreach($output as $k=>$v) {
echo htmlspecialchars($v)."<br>\n";
}
?>
%%
I guess you don't want that. Nonetheless, exec() still read files according to system ACL. Deletion or running a script to delete another file is not allowed either.
