Security Hints for PHP/MySQL Applications

Apache Server Security

This page provides some geneal hints for Apache servers running PHP applications. I recommend to consider them for ConfTool installations and they are probably useful for most other productive environments with PHP and MySQL.

Access to Backup Files

It is advisable to block access to all backup files. If these are for instance PHP files, they are usually not executed and may reveal parameters like the password for your mysql database.

To block the access to backup files with the extensions "bak", "BAK" and "~" use the following lines in your httpd.conf file:

<FilesMatch "(\.bak|\.BAK|~)$">
  order deny,allow
  deny from all
</FilesMatch>

Example:

<Directory "/home/conftool/">
  # For Conftool you need none of the options directive, if you do not
  # use the .htaccess file, but make the conftool settings in php.ini
  options none
  # Controls who can get stuff from this server.
  order deny,allow
  allow from all
  # Prevent access to backup files!
  <FilesMatch "(\.bak|\.BAK|~)$">
      order deny,allow
      deny from all
  </FilesMatch>
</Directory>
 

http://www.zdziarski.com/projects/mod_evasive/

MySql Database Security

Limit Network Access

If not required, block network access to the mysql database server from other hosts.

One way to limit any network access to your MySQL server is adding the parameter

skip-networking

to your mysql configuration file "my.cnf" (usually in /etc/ or C:/Windows/). Applications now have to use a socket file to access the MySQL deamon.

If disabling network access causes compatibility issues with some of your applications, you may also use

bind-address = 127.0.0.1 

to limit access to localhost only.

Update Default Root User

Many distributions install a "root" MySQL user without any password. Make sure to set a password for the "root" user after a new server installation.

From the command line call

mysql mysql -u root

In the mysql client you have to enter two commands:

UPDATE user SET Password=PASSWORD('myNewPassword') WHERE user='root';
flush privileges;

The second command reads the new password into the mysql server.

Alternatively you can also use the "mysqladmin tool"

mysqladmin -u root password

You will be prompted for the password.

If you get the error message

mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'a'localhost' (using password: NO)'

a password for the user root is already set.

PHP Security Settings

PHP is not an "unsave" programming language, but there are some PHP settings that are recommended to reduce the vulnerability of most PHP installations. They are set in your php.ini file, some can also be set in the apache configuration file or your local .htaccess file. Please consider that other PHP scripts on your server might have problems with the settings recommended here.

DISABLE_FUNCTIONS

Some PHP functions can make your system vulnerable, as they provide access to system ressources, parameters or files.

Such are:

show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, proc_nice

Conftool makes use of two of these functions:

  • "exec" is used on windows systems to check if the domain name of an email address exists. All parameters are sanitized before the function call. (The function is also used in some custom ConfTool libraries to access credit card gateways.)
  • "popen" is used in the "phpmailer" library to send emails. You can alternatively use the build-in php function to send mails, but it is less powerful.

Therefore if you use one of the features above, you should only disable the following functions in the file "php.ini":

disable_functions = show_source, system, shell_exec, passthru, phpinfo, proc_open, proc_nice

REGISTER_GLOBALS

The switch

register_globals = Off

should always be set, as otherwise all http get and post variables are directly accessible as global variables in the PHP application. This is a potential security problem for any PHP application. I recommend not to use any PHP application that requires "register_globals" to be on.

ALLOW_URL_FOPEN

allow_url_fopen = Off

This should be set for most servers. It prevents that scripts can load php code from other web servers, a potential security issue.

allow_url_include = Off

Since PHP 5.2 the setting allow_url_include allows to disable remote addresses for the commands "include" and "require" only. So if some of your scripts require allow_url_fopen, the above settings might be an alternative.

DISPLAY_ERRORS

display_errors = Off

This setting will turn off the output of PHP error messages to your users and possible attackers. It should always be set to "off" in a productive environment. You can (and should) still log (and analyze) errors in the server's error_log by setting:

log_errors = On

OPEN_BASEDIR

Syntax: open_basedir = "/path/to/conftool"

Limits the execution of php files on your Web server. Files outside the

given path(s) are not executed. It is always recommended to use it and to restrict php to those directories where known applications reside.

Example for Windows:

open_basedir = "D:/www/conftool/;C:/Program Files/Apache Group/Apache/htdocs/"

Unix/Linux example:

open_basedir = "/home/conftool/:/srv/www/"

SAFE_MODE

safe_mode = On/Off

Safe Mode restricts the access of php scripts on your web server. It is currently not recommended to use it with ConfTool as e.g. timeouts cannot be set and the access to uploaded files is limited. ConfTool does somehow work with safe mode, but there are many potential problems (e.g. with bulk mails).

Hardened-PHP Project

The Hardened-PHP project provides two patches / extensions for PHP that can improve the security of all PHP installations:

  • The hardening patch adds security hardening features to the PHP core to protect servers against a number of well known problems in PHP applications and against potential unknown vulnerabilities.
  • Suhosin is an extension for PHP to protect servers and users from known and unknown flaws in PHP applications and the PHP core by adding new security filters and PHP security settings.

Both patches work well with ConfTool. I recommend the Suhosin extension for any productive environment running PHP applications.

Conclusion

Security is not a state but a process. As PHP any MySQL are very popular systems, always keep track of recent developments and update your server settings. If you find any potential problems in ConfTool, please contact me immediately.