BuycPanel Blog

BuycPanel Blog

Latest news and updates

PHP Security Concepts

Posted by Allura on 13 08 2018.

Introduction
There might be some loopholes within the web applications programmed in PHP which can be exploited by external sources. Your system might contain the following list of vulnerabilities:

 	Error message containing sensitive data about your system
 	Non-verified executable files
 	Functions of development server environment executing under a production server environment.

You can improve the security of your server’s PHP setting using the list of options given below.

Restrict file inclusion attacks
Web applications that include scripts and files often contain a file-inclusion vulnerability which are used by malicious users to access your system. There might be certain applications that have not validated require and include statements. They might also have filenames for parameters. A file within the server may be replaced by a rogue file containing a similar name. There are two types of File inclusion attacks: Remote File Inclusion (RFI) and Local File Inclusion (LFI).

Local File Inclusion attacks
An attacker might run local…

Introduction

There might be some loopholes within the web applications programmed in PHP which can be exploited by external sources. Your system might contain the following list of vulnerabilities:

  • Error message containing sensitive data about your system
  • Non-verified executable files
  • Functions of development server environment executing under a production server environment.

You can improve the security of your server’s PHP setting using the list of options given below.

Restrict file inclusion attacks

Web applications that include scripts and files often contain a file-inclusion vulnerability which are used by malicious users to access your system. There might be certain applications that have not validated require and include statements. They might also have filenames for parameters. A file within the server may be replaced by a rogue file containing a similar name. There are two types of File inclusion attacks: Remote File Inclusion (RFI) and Local File Inclusion (LFI).

Local File Inclusion attacks

An attacker might run local files through a PHP script so that all kinds of restricted information is revealed about your server.

You can use the open_basedir feature to restrict the effect of local file inclusion vulnerabilities in PHP scripts. The option can be found in WHM’s PHP open_basedir Tweak interface located at WHM > Home > Security Center > PHP open_basedir Tweak. This feature prevents an attacker from accessing your system’s directories and prohibits the creation of local file inclusions.

Remote File Inclusion attacks

Files on you server can be accessed from a remote location by a malicious user. A PHP script might be uploaded to your server by the attacker. The inclusion loopholes can be then be used to gain access using remote inclusion method. The attacker will be able to run harmful programs from their systems through the faulty PHP settings. They might be able to bypass the reading and writing permission of your system.

To avoid such exploits, you can deactivate the allow_url_include and allow_url_fopen options. They are available within WHM’s PHP Security Concepts interface under the Advanced Mode section. Go to WHM > Home > Service Configuration > PHP Configuration Editor.

The disable_functions directive

It is recommended that you deactivate certain PHP functions if they are not used by the developers. They can be harmful for a production environment as they might be used by an attacker.

Enter the functions that you want to deactivate into the disable_functions text box. It is available under the Advanced Mode section in WHM’s WHM’s PHP Security Concepts interface.

Conclusion

Ensure that your system is safely protected tweaking the settings related to PHP. The vulnerabilities can be overcome using the various options available in WHM’s Advanced Mode.