BuycPanel Blog

BuycPanel Blog

Latest news and updates

PHP Security Concepts (Part 2)

Posted by Allura on 14 08 2018.

Introduction
If the applications in your system use PHP, then you are open to a lot of risks and vulnerabilities. These are often exploited by attackers through various ways like file inclusion attacks, unregistered executable files and system error messages. You can prevent any sensitive information in your server from being leaked using the methods given below.

Prevent information disclosure
Error messages might at time reveal crucial information about your system. These can be used by attackers to hack into your server. This data might comprise of information like database names, usernames and directory structure. You can prevent others from accessing your information by limiting the PHP errors that are displayed on the applications user interface.

You can restrict error messages from being displayed by switching off the display_errors option. It is available within WHM’s PHP Security Concepts interface under the Advanced Mode section which can be located at WHM > Home > Service Configuration > PHP Configuration…

Introduction

If the applications in your system use PHP, then you are open to a lot of risks and vulnerabilities. These are often exploited by attackers through various ways like file inclusion attacks, unregistered executable files and system error messages. You can prevent any sensitive information in your server from being leaked using the methods given below.

Prevent information disclosure

Error messages might at time reveal crucial information about your system. These can be used by attackers to hack into your server. This data might comprise of information like database names, usernames and directory structure. You can prevent others from accessing your information by limiting the PHP errors that are displayed on the applications user interface.

You can restrict error messages from being displayed by switching off the display_errors option. It is available within WHM’s PHP Security Concepts interface under the Advanced Mode section which can be located at WHM > Home > Service Configuration > PHP Configuration Editor.

Restrict file uploads

Vulnerable servers are often broken into by attackers through malicious file uploads. You can prohibit external users from exploiting your PHP settings by limiting all upload permissions so that they are unable to inject their PHP scripts.

It is suggested that you deactivate the file_uploads directive in the Advanced Mode section to take away file upload permissions. You can find it within the PHP Security Concepts interface located at WHM > Home> Service Configuration > PHP Configuration Editor.

Protect sessions

Sometimes an attacker might try to hijack a user’s session. This is possible when a user’s web application session is stolen by an attacker who then executes commands on behalf of the user. PHP uses randomly-generate session identifiers as URLs so that they cannot be easily guessed. Their value is, however, saved by the filesystem. JavaScript can be injected into pages by attackers to extract cookies in which session IDs are stored.

You can secure your session IDs by using the session.cookie_httponly directive found under the Advanced Mode section of WHM’s PHP Security Concepts interface. It is accessible through WHM > Home > Service Configuration > PHP Configuration Editor.

Disable register globals

A PHP script can accept and process variables even though it might not have a specified source using global variables. Attackers use this opportunity to rewrite configuration variables so that they might be able to get into parts of your system that are normally restricted.  You can turn off the the register_globals directive in WHM’s Advanced Mode section to prevent this from happening.

Conclusion

Protect your PHP files from all kinds of exploits and vulnerabilities through different options like limiting file uploads, hiding your server information and deactivating global registers.