Happy new year to you guys. I haven't updated my blog for another half month. Update is also more casual, think of what to write something, convenient and everyone work with learning summary.
Recently, I talked about PHP security related issues with my colleagues and recorded some experience.
Due to many reasons of script language and early version design, there are many security risks in php project. From the perspective of configuration options, you can do the following optimization.
1. Block PHP error output.
In / etc / php.ini (the default configuration file location), change the following configuration value to Off
display_errors=Off
Do not output the error stack information directly to the web page to prevent hackers from using the relevant information.
The right approach is:
Write the error log to the log file for troubleshooting.
2. Block PHP version.
By default, the PHP version will be displayed in the return header, such as:
Response Headers X-powered-by: PHP/7.2.0
Change the following configuration value in php.ini to Off
expose_php=Off
3. Turn off global variables.
If you turn on global variables, the data submitted by some forms will be automatically registered as global variables. The code is as follows:
<form action="/login" method="post"> <input name="username" type="text"> <input name="password" type="password"> <input type="submit" value="submit" name="submit"> </form>
If the global variable is enabled, the server-side PHP script can use $username and $password to get the user name and password, which will cause great danger of script injection.
The opening method is modified in php.ini as follows:
register_globals=On
It is recommended to close, with the following parameters:
register_globals=Off
When it is closed, you can only GET the relevant parameters from $'POST, $'GET, $'REQUEST.
4. File system restrictions
You can restrict the system directories that PHP can access through open Φ basedir.
If you don't restrict the use of the following script code (hack.php), you can get the system password.
<?php echo file_get_contents('/etc/passwd');
When it is set, an error will be reported and relevant information will not be displayed, so that system directory b will not be accessed illegally:
PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3
Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3 PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3
Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3
The setting method is as follows:
open_basedir=/var/www
5. Prohibit remote resource access.
allow_url_fopen=Off
allow_url_include=Off
Other third party security extensions
6.Suhosin.
Suhosin is a protection system for PHP programs. It is designed to protect servers and users from known or unknown defects in PHP programs and PHP core (it feels practical and can resist some small attacks). Suhosin has two independent parts, which can be used separately or jointly.
The first part is a patch for PHP core, which can resist the weakness of buffer overflow or format string (this is necessary!) ;
The second part is a powerful PHP extension (the extension mode is very good, easy to install...) , including all other protection measures.
Installation extension
wget http://download.suhosin.org/suhosin-0.9.37.1.tar.gz tar zxvf suhosin-0.9.37.1.tar.gz cd suhosin-0.9.37.1/ phpize ./configure --with-php-config=/usr/local/bin/php-config make make install //At php.ini Lower join suhosin.so that will do extension=suhosin.so
Characteristic
- Simulator protection mode
- Add two functions sha256() and sha256 file() to the PHP core
- All platforms, add crypt? Blowfish to function crypt()
- Turn on transparent protection for phpinfo() page
- SQL database user protection (test phase)
Runtime protection
- Encrypt cookies
- Prevent different types of inclusion vulnerabilities (do not allow remote URL inclusion (black / white list); do not allow uploaded files; prevent directory traversal attacks)
- Allow to disable preg_replace()
- Allow eval() function to be disabled
- Prevent infinite recursion by configuring a maximum execution depth
- Support black and white list configuration for each vhost
- Provide separate black and white list of functions for code execution
- Prevent HTTP response splitting vulnerability
- Prevent scripts from controlling the memory "limit option
- Protect PHP's super globals, such as extract(), import_request_vars()
- Prevent new line attack of mail() function
- Prevent the attack of preg_replace()
Session protection
- Encrypt session data
- Prevent session hijacking
- Prevent super long session id
- Prevent malicious session id
The data in SESSION is usually stored in plaintext on the server. Here, we encrypt and decrypt $'u SESSION on the server. In this way, when the SESSION handle is stored in Memcache or database, it will not be easily broken. In many cases, our SESSION data will store some sensitive fields.
This feature is enabled by default and can also be modified through php.ini:
suhosin.session.encrypt = On suhosin.session.cryptkey = zuHywawAthLavJohyRilvyecyondOdjo suhosin.session.cryptua = On suhosin.session.cryptdocroot = On ;; IPv4 only suhosin.session.cryptraddr = 0 suhosin.session.checkraddr = 0
Cookie encryption
The HTTP header of the cookie in the client browser is also clear text. By encrypting cookies, you can protect your application against many attacks, such as
- Cookie tampering: an attacker may try to guess other reasonable cookie values to attack the program.
- Use cookies across applications: improperly configured applications may have the same session store. For example, if all sessions are stored in the / tmp directory by default, the cookies of one application may never be reused for another application as long as the encryption key is different.
Configuration of Cookie encryption in php.ini:
suhosin.cookie.encrypt = On ;; the cryptkey should be generated, e.g. with 'apg -m 32' suhosin.cookie.cryptkey = oykBicmyitApmireipsacsumhylWaps1 suhosin.cookie.cryptua = On suhosin.cookie.cryptdocroot = On ;; whitelist/blacklist (use only one) ;suhosin.cookie.cryptlist = WALLET,IDEAS suhosin.cookie.plainlist = LANGUAGE ;; IPv4 only suhosin.cookie.cryptraddr = 0 suhosin.cookie.checkraddr = 0 Blocking Functions //test ##The default PHP Session is saved in the tmp path ll -rt /tmp | grep sess ##View the data of a session when the extension is not enabled cat sess_ururh83qvkkhv0n51lg17r4aj6 //Records are clear text ##View the data of a session after the extension is enabled cat sess_ukkiiiheedupem8k4hheo0b0v4 //The record is ciphertext //We can see the importance of encryption to security
Blocking function
White list
##Explicitly specify the specified whitelist list suhosin.executor.func.whitelist = htmlentities,htmlspecialchars,base64_encode suhosin.executor.eval.whitelist = htmlentities,htmlspecialchars,base64_encode <?php echo htmlentities('<test>'); eval('echo htmlentities("<test>");');
Blacklist
##Explicitly specify the specified blacklist list suhosin.executor.func.blacklist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand suhosin.executor.eval.whitelist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand //View the black and white list of illegal calls through the log suhosin.simulation = 1 suhosin.log.file = 511 suhosin.log.file.name = /tmp/suhosin-alert.log
Other configuration items
suhosin.executor.include.max_traversal The maximum depth of directory expansion, which can shield switching to illegal path suhosin.executor.include.whitelist Allowed to include URL,Comma separated suhosin.executor.include.blacklist Prohibited URL,Comma separated suhosin.executor.disable_eval = On Prohibit eval function suhosin.upload.max_uploads suhosin.upload.disallow_elf suhosin.upload.disallow_binary suhosin.upload.remove_binary suhosin.upload.verification_script Upload file check script to check whether the uploaded content contains webshell Features
With Suhosin, you can get some error logs. You can put these logs in the system log or write them to any other log file at the same time;
It can also create blacklist and whitelist for each virtual host;
You can filter GET and POST requests, file uploads, and cookie s;
You can also send encrypted sessions and cookie s, and you can set storage lines that cannot be transferred, etc;
Unlike the original PHP enhanced patch, Suhosin is compatible with third-party extensions like Zend Optimizer.