Latest Announcemnent
New thread
Status
Not open for further replies.
V

VS-03

Member
6
2011
0
0
Hello WJunction user's

Well Basically i'm asking for a detailed guide on the following:

Stop user's overriding / bypassing systems php.ini

I know you have to disable: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen


to get secured server.
 
4 comments
If you really want that thing to be secure, you could use linux vservers or freebsd jails & 'lock' your users in a jail, if you install php-fpm/nginx might be fine ressources-wise...
 
If you really want to raise security of your server then you need to disable use of following php functions:
Code: 
eval, exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, getmyuid, posix_getpwuid, posix_getgrgid, fileowner|filegroup, apache_note, apache_setenv, openlog, syslog, virtual, dl, ini_alter, get_current_user, posix_uname

The same users various rights permissions with nginx + php-fpm and use php security module suhosin.
But keep in mind that some applications may not work with such restrictions, so you should carefully make changes.
 
supportex said:
If you really want to raise security of your server then you need to disable use of following php functions:
Code: 
eval, exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, getmyuid, posix_getpwuid, posix_getgrgid, fileowner|filegroup, apache_note, apache_setenv, openlog, syslog, virtual, dl, ini_alter, get_current_user, posix_uname
Click to expand...

Lol?

eval - http://php.net/manual/en/function.eval.php
ini_alter - http://php.net/manual/en/function.ini-alter.php
 
Lol?

eval - http://php.net/manual/en/function.eval.php
ini_alter - http://php.net/manual/en/function.ini-alter.php
Click to expand...

Unfortunately very often the programmers do not check the incoming data. This allows an attacker to pass on their variables to execution.
When on yours server lot of developers and you can not control quality of their code, but you need to keep security on the server. The best solution is to take hard management.

Also you can read articles "PHP / SQL Security" on acunetix.com, that will help improve security of applications.
 
Status
Not open for further replies.
Back
Top