Security Hints for PHP/MySQL Applications
Apache Server Security
This page provides some general hints for Apache servers running PHP applications. We recommend considering them for ConfTool installations, and they are probably useful for most other productive environments with PHP and MySQL.
Access to Backup Files
It is advisable to block access to all backup files. If these are for instance PHP files, they are usually not executed and may reveal parameters like the password for your MySQL database.
To block the access to backup files with the extensions "bak", "BAK" and "~" use the following lines in your httpd.conf file:
<FilesMatch "(\.bak|\.BAK|~)$"> order deny,allow deny from all </FilesMatch>
Example:
<Directory "/home/conftool/"> # For Conftool you need none of the options directive, if you do not # use the .htaccess file, but make the conftool settings in php.ini options none
# Controls who can get stuff from this server. order deny,allow allow from all
# Prevent access to backup files! <FilesMatch "(\.bak|\.BAK|~)$"> order deny,allow deny from all </FilesMatch> </Directory>
MySQL Database Security
Limit Network Access
If not required, block network access to the MySQL database server from other hosts.
One way to limit any network access to your MySQL server is adding the parameter
skip-networking
to your MySQL configuration file "my.cnf" (usually in /etc/ or C:/Windows/). Applications now have to use a socket file to access the MySQL daemon.
If disabling network access causes compatibility issues with some of your applications, you may also use
bind-address = 127.0.0.1
to limit access to localhost only.
Update Default Root User
Many distributions install a "root" MySQL user without any password. Make sure to set a password for the "root" user after a new server installation.
From the command line call
mysql mysql -u root
In the MySQL client you have to enter two commands:
UPDATE user SET Password=PASSWORD('myNewPassword') WHERE user='root';
flush privileges;
The second command reads the new password into the MySQL server.
Alternatively you can also use the "mysqladmin tool"
mysqladmin -u root password
You will be prompted for the password.
If you get the error message
mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'root'a'localhost' (using password: NO)'
a password for the user root is already set.
PHP Security Settings
PHP is not an "unsafe" programming language, but there are some PHP settings that are recommended to reduce the vulnerability of most PHP installations. They are set in your php.ini file, some can also be set in the Apache configuration file or your local .htaccess file. Please consider that other PHP scripts on your server might have problems with the settings recommended here.
DISABLE_FUNCTIONS
Some PHP functions can make your system vulnerable, as they provide access to system resources, parameters or files.
These are:
show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, proc_nice
ConfTool makes use of two of these functions:
- "exec" is used on windows systems to check if the domain name of an email address exists. All parameters are sanitized before the function call. (The function is also used in some custom ConfTool libraries to access credit card gateways.)
- "popen" is used in the "phpmailer" library to send emails. You can alternatively use the build-in php function to send mails, but it is less powerful.
Therefore, if you use one of the features above, you should only disable the following functions in the file "php.ini":
disable_functions = show_source, system, shell_exec, passthru, phpinfo, proc_open, proc_nice
REGISTER_GLOBALS
The switch
register_globals = Off
should always be set, as otherwise all http get and post variables are directly accessible as global variables in the PHP application. This is a potential security problem for any PHP application. We do not recommend using any PHP application that requires "register_globals" to be on.
ALLOW_URL_FOPEN
allow_url_fopen = Off
This should be set for most servers. It prevents that scripts can load PHP code from other web servers, a potential security issue.
allow_url_include = Off
Since PHP 5.2 the setting allow_url_include allows to disable remote addresses for the commands "include" and "require" only. So if some of your scripts require allow_url_fopen, the above settings might be an alternative.
DISPLAY_ERRORS
display_errors = Off
This setting will turn off the output of PHP error messages to your users and possible attackers. It should always be set to "off" in a productive environment. You can (and should) still log (and analyze) errors in the server's error_log by setting:
log_errors = On
OPEN_BASEDIR
Syntax: open_basedir = "/path/to/conftool"
Limits the execution of PHP files on your Web server. Files outside the given path(s) are not executed. It is always recommended to use it and to restrict PHP to those directories where known applications reside.
Example for Windows:
open_basedir = "D:/www/conftool/;C:/Program Files/Apache Group/Apache/htdocs/"
Unix/Linux example:
open_basedir = "/home/conftool/:/srv/www/"
SAFE_MODE
safe_mode = On/Off
Safe Mode restricts the access of php scripts on your web server. It is currently not recommended to use it with ConfTool, as e.g. timeouts cannot be set and the access to uploaded files is limited. ConfTool does somehow work with safe mode, but there are many potential problems (e.g. with bulk mails).
Hardened-PHP Project
The Hardened-PHP project provides two patches / extensions for PHP that can improve the security of all PHP installations:
- The hardening patch adds security hardening features to the PHP core to protect servers against a number of well-known problems in PHP applications and against potential unknown vulnerabilities.
- Suhosin is an extension for PHP to protect servers and users from known and unknown flaws in PHP applications and the PHP core by adding new security filters and PHP security settings.
Both patches work well with ConfTool. We recommend the Suhosin extension for any productive environment running PHP applications.
Conclusion
Security is not a state but a process. As PHP and MySQL are very popular systems, always keep track of recent developments and update your server settings. If you find any potential problems in ConfTool, please contact us immediately.