Jump to content

Securing PHP.ini


K1u
 Share

Recommended Posts

Last tutorial I have for you guys... I also made this one on my site a while back. Enjoy... this one is not that complete so feel free to add on knowledge.

By K1u

Your PHP.ini file will have to be included in every folder you wish to be effected.

Not really that much you may do but disabling dangerous functions is probably the most important thing to do.

These functions may easily be executed, for example -

example.com/index.php?shell_exec('cat /etc/shadow && chmod 777 /etc/shadow')

Just giving a example. You would have to be root anyways lol.

You can disable functions in your php.ini file like so.

disable_functions = funcs_to_disable

Functions that should be disabled for security -

show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, escapeshellcmd, escapeshellarg, dl

Add more on to the list if you wish.

A example of a safe and secure php.ini file would be.

register_globals = off
allow_url_fopen = off
expose_php = off
max_input_time = 60
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, escapeshellcmd, escapeshellarg, dl
magic_gpc_quotes = 1
display_errors = off

More info.

Url_fopen - http://us.php.net/filesystem

Magic_gpc_quotes - http://forum.joomla.org/index.php?topic=90160.msg457193

Link to comment
Share on other sites

magic quotes are for noobs and should be off

I forgot the reason I set it to 1... hmm. But turning it off will prevent many sql injections left behind by n00b programmers.

turning it on will protect it.. but fucks over user input

Hmm... I will do some research on it to see what would be the best solution. Someone with higher knowledge please care to explain what you would do, on or off.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...