Hello WJunction user's
Well Basically i'm asking for a detailed guide on the following:
Stop user's overriding / bypassing systems php.ini
I know you have to disable: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
to get secured server. If you really want that thing to be secure, you could use linux vservers or freebsd jails & 'lock' your users in a jail, if you install php-fpm/nginx might be fine ressources-wise... If you really want to raise security of your server then you need to disable use of following php functions:
Code: eval, exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, getmyuid, posix_getpwuid, posix_getgrgid, fileowner|filegroup, apache_note, apache_setenv, openlog, syslog, virtual, dl, ini_alter, get_current_user, posix_unameThe same users various rights permissions with nginx + php-fpm and use php security module suhosin.
But keep in mind that some applications may not work with such restrictions, so you should carefully make changes. Quote: Originally Posted by supportex http://www.wjunction.com/18-server-management-help/100041-security.html#post1035244
ini_alter - http://php.net/manual/en/function.ini-alter.php Quote: Lol?
eval - http://php.net/manual/en/function.eval.php
ini_alter - http://php.net/manual/en/function.ini-alter.php Unfortunately very often the programmers do not check the incoming data. This allows an attacker to pass on their variables to execution.
When on yours server lot of developers and you can not control quality of their code, but you need to keep security on the server. The best solution is to take hard management.
Also you can read articles "PHP / SQL Security" on acunetix.com, that will help improve security of applications.
Well Basically i'm asking for a detailed guide on the following:
Stop user's overriding / bypassing systems php.ini
I know you have to disable: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
to get secured server. If you really want that thing to be secure, you could use linux vservers or freebsd jails & 'lock' your users in a jail, if you install php-fpm/nginx might be fine ressources-wise... If you really want to raise security of your server then you need to disable use of following php functions:
Code: eval, exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, getmyuid, posix_getpwuid, posix_getgrgid, fileowner|filegroup, apache_note, apache_setenv, openlog, syslog, virtual, dl, ini_alter, get_current_user, posix_unameThe same users various rights permissions with nginx + php-fpm and use php security module suhosin.
But keep in mind that some applications may not work with such restrictions, so you should carefully make changes. Quote: Originally Posted by supportex http://www.wjunction.com/18-server-management-help/100041-security.html#post1035244
ini_alter - http://php.net/manual/en/function.ini-alter.php Quote: Lol?
eval - http://php.net/manual/en/function.eval.php
ini_alter - http://php.net/manual/en/function.ini-alter.php Unfortunately very often the programmers do not check the incoming data. This allows an attacker to pass on their variables to execution.
When on yours server lot of developers and you can not control quality of their code, but you need to keep security on the server. The best solution is to take hard management.
Also you can read articles "PHP / SQL Security" on acunetix.com, that will help improve security of applications.