Wer einen Virtual Server, Server oder auch Webspace mit Administrationsrechten an der php.ini besitzt, sollte sich nicht unbedingt auf die Grundeinstellungen im Auslieferungszustand verlassen und die eigenen Einstellungen vor dem Launch prüfen. In vielen Fällen können Einstellungen wie zum Beispiel register_globals oder allow_url_fopen aktiviert sein und damit ein Sicherheitsrisiko für die eigene Anwendung bergen.
Es gibt zwar keine allgemeingültig “sichere” php.ini und gewisse Einstellungen müssen für die eigene Anwendung angepasst werden, doch kann eine Analyse mit dem Tool PhpSecInfo für erste Hinweise und Erklärungen herangezogen werden. Am Ende des Beitrags befinden sich noch ein paar wichtige Ergänzungen.
Beispielanalyse
| allow_url_fopen |
Pass
allow_url_fopen is disabled, which is the recommended setting
| Current Value: |
0 |
| Recommended Value: |
0 |
|
| allow_url_include |
Pass
allow_url_include is disabled, which is the recommended setting
| Current Value: |
0 |
| Recommended Value: |
0 |
|
| display_errors |
Pass
display_errors is disabled, which is the recommended setting
| Current Value: |
0 |
| Recommended Value: |
0 |
|
| expose_php |
Pass
expose_php is disabled, which is the recommended setting
| Current Value: |
0 |
| Recommended Value: |
0 |
|
| file_uploads |
Pass
file_uploads are disabled. Unless you’re sure you need them, this is the recommended setting
| Current Value: |
0 |
| Recommended Value: |
0 |
|
| magic_quotes_gpc |
Pass
magic_quotes_gpc is disabled, which is the recommended setting
| Current Value: |
0 |
| Recommended Value: |
0 |
|
| memory_limit |
Pass
memory_limit is enabled, and appears to be set to a realistic value.
| Current Value: |
8388608 |
| Recommended Value: |
8388608 |
|
| open_basedir |
Pass
open_basedir is enabled, which is the recommended setting. Keep in mind that other web applications not written in PHP will not be restricted by this setting.
| Current Value: |
/var/www/my_app/ |
| Recommended Value: |
1 |
|
| post_max_size |
Pass
post_max_size is enabled, and appears to be a relatively low value
| Current Value: |
3MB |
| Recommended Value: |
262144 |
|
| register_globals |
Pass
register_globals is disabled, which is the recommended setting
| Current Value: |
0 |
| Recommended Value: |
0 |
|
| upload_max_filesize |
Pass
upload_max_filesize is enabled, and appears to be a relatively low value.
| Current Value: |
262144 |
| Recommended Value: |
262144 |
|
| upload_tmp_dir |
Notice
upload_tmp_dir is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access temporary copies of files uploaded via your PHP scripts. You should set upload_tmp_dir to a non-world-readable directory
| Current Value: |
/tmp () |
| Recommended Value: |
A non-world readable/writable directory |
|
Sinnvolle Ergänzungen
- disable_functions = eval exec passthru popen proc_open shell_exec system get_defined_functions dl apache_get_modules apache_get_version apache_get env apache_setenv fsockopen highlight_file ini_alter ini_restore phpinfo show_source symlink tmpfile rmdir
- open_basedir = [path to the directory of the web server / virtual host]
- safe_mode = On
- short_open_tag = Off
- session.use_only_cookies = 1
- session.cookie_httponly = 1
- session.name = my_app
php, security, server, serveradministration, webdevelopment
Leave a Reply
You must be logged in to post a comment.