PHP is vulnerable for quiet a few exploits while being used on the webserver.
Many times the reasons for these exploits are some careless settings left unattended, which gives the intruders enough information about the webserver or the PHP running on the server. There are also instances where unwanted functions, which can prove to be hardful are left enabled. An example of such functions are:
exec, system, shell_exec, passthru
All you need to ensure that you disable and set the limits under the php.ini file on your server.
The following are a few settings which will help you harden PHP:
Edit the php.ini file on your server. It can be located under /etc or /etc/php or /etc/php5 (depending on the server configuration and operating system.
And ensure the following lines are present:
disable_functions = exec,system,shell_exec,passthru register_globals = Off expose_php = Off magic_quotes_gpc = On
- disable_functions = exec,system,shell_exec,passthru: Will disable some functions which can prove a threat is exploited by some rouge user.
- register_globals= Off: This will disable the use of global variables in PHP scripts. The use of global variables gives the attackers an opportunity to manipulate the global variables freely.
- expose_php = Off: This option will hide the PHP version running on the server. It may send an HTTP header (X-Powered-By: PHP), or append its name and version to Apache’s signature. This setting will prevent such things.
- magic_quotes_gpc = On: Magic Quotes is a process that automagically escapes incoming data to the PHP script.
Save the file and Restart/Reload the webserver once.
The above are some basic tips which will harden PHP. Going forward I will add a few more articles which will provide some details of minor details in PHP which will help secure it better.