Security Hints for PHP/MySQL Applications
Apache Server Security
This page provides some geneal hints for Apache servers running PHP applications. I recommend to consider them for ConfTool installations and they are probably useful for most other productive environments with PHP and MySQL.
Access to Backup Files
It is advisable to block access to all backup files. If these are for instance PHP files, they are usually not executed and may reveal parameters like the password for your mysql database.
To block the access to backup files with the extensions "bak", "BAK" and "~" use the following lines in your httpd.conf file:
deny from all
# For Conftool you need none of the options directive, if you do not
# use the .htaccess file, but make the conftool settings in php.ini
# Controls who can get stuff from this server.
allow from all
# Prevent access to backup files!
deny from all
MySql Database Security
Limit Network Access
If not required, block network access to the mysql database server from other hosts.
One way to limit any network access to your MySQL server is adding the parameter
to your mysql configuration file "my.cnf" (usually in /etc/ or C:/Windows/). Applications now have to use a socket file to access the MySQL deamon.
If disabling network access causes compatibility issues with some of your applications, you may also use
bind-address = 127.0.0.1
to limit access to localhost only.
Update Default Root User
Many distributions install a "root" MySQL user without any password. Make sure to set a password for the "root" user after a new server installation.
From the command line call
mysql mysql -u root
In the mysql client you have to enter two commands:
UPDATE user SET Password=PASSWORD('myNewPassword') WHERE user='root';
The second command reads the new password into the mysql server.
Alternatively you can also use the "mysqladmin tool"
mysqladmin -u root password
You will be prompted for the password.
If you get the error message
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'a'localhost' (using password: NO)'
a password for the user root is already set.
PHP Security Settings
PHP is not an "unsave" programming language, but there are some PHP settings that are recommended to reduce the vulnerability of most PHP installations. They are set in your php.ini file, some can also be set in the apache configuration file or your local .htaccess file. Please consider that other PHP scripts on your server might have problems with the settings recommended here.
Some PHP functions can make your system vulnerable, as they provide access to system ressources, parameters or files.
show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, proc_nice
Conftool makes use of two of these functions:
- "exec" is used on windows systems to check if the domain name of an email address exists. All parameters are sanitized before the function call. (The function is also used in some custom ConfTool libraries to access credit card gateways.)
- "popen" is used in the "phpmailer" library to send emails. You can alternatively use the build-in php function to send mails, but it is less powerful.
Therefore if you use one of the features above, you should only disable the following functions in the file "php.ini":
disable_functions = show_source, system, shell_exec, passthru, phpinfo, proc_open, proc_nice
register_globals = Off
should always be set, as otherwise all http get and post variables are directly accessible as global variables in the PHP application. This is a potential security problem for any PHP application. I recommend not to use any PHP application that requires "register_globals" to be on.
allow_url_fopen = Off
This should be set for most servers. It prevents that scripts can load php code from other web servers, a potential security issue.
allow_url_include = Off
Since PHP 5.2 the setting allow_url_include allows to disable remote addresses for the commands "include" and "require" only. So if some of your scripts require allow_url_fopen, the above settings might be an alternative.
display_errors = Off
This setting will turn off the output of PHP error messages to your users and possible attackers. It should always be set to "off" in a productive environment. You can (and should) still log (and analyze) errors in the server's error_log by setting:
log_errors = On
Syntax: open_basedir = "/path/to/conftool"
Limits the execution of php files on your Web server. Files outside the
given path(s) are not executed. It is always recommended to use it and to restrict php to those directories where known applications reside.
Example for Windows:
open_basedir = "D:/www/conftool/;C:/Program Files/Apache Group/Apache/htdocs/"
open_basedir = "/home/conftool/:/srv/www/"
safe_mode = On/Off
Safe Mode restricts the access of php scripts on your web server. It is currently not recommended to use it with ConfTool as e.g. timeouts cannot be set and the access to uploaded files is limited. ConfTool does somehow work with safe mode, but there are many potential problems (e.g. with bulk mails).
The Hardened-PHP project provides two patches / extensions for PHP that can improve the security of all PHP installations:
- The hardening patch adds security hardening features to the PHP core to protect servers against a number of well known problems in PHP applications and against potential unknown vulnerabilities.
- Suhosin is an extension for PHP to protect servers and users from known and unknown flaws in PHP applications and the PHP core by adding new security filters and PHP security settings.
Both patches work well with ConfTool. I recommend the Suhosin extension for any productive environment running PHP applications.
Security is not a state but a process. As PHP any MySQL are very popular systems, always keep track of recent developments and update your server settings. If you find any potential problems in ConfTool, please contact me immediately.