Securing Your PHP WebsiteIn this second part of a three-part series on secure PHP programming, you'll learn how to hide the fact that you're using PHP to drive your site, how to hide sensitive data, and more. This article is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).
print this article SEARCH DEV SHED |
Hiding PHP You can also hide, or at least obscure, the fact that you’re using PHP to drive your site. Use the expose_php directive to prevent PHP version details from being appended to your Web server signature. Block access to phpinfo() to prevent attackers from learning your software version numbers and other key bits of information. Change document extensions to make it less obvious that pages map to PHP scripts. expose_php = On | Off Scope: PHP_INI_SYSTEM ; Default value: On When enabled, the PHP directive expose_php appends its details to the server signature. For example, if ServerSignature is enabled and ServerTokens is set to Full , and this directive is enabled, the relevant component of the server signature would look like this: -------------------------------------------- When expose_php is disabled, the server signature will look like this: -------------------------------------------- Remove All Instances of phpinfo() Calls The phpinfo() function offers a great tool for viewing a summary of PHP’s configuration on a given server. However, left unprotected on the server, the information it provides is a gold mine for attackers. For example, this function provides information pertinent to the operating system, the PHP and Web server versions, and the configuration flags, and a detailed report regarding all available extensions and their versions. Leaving this information accessible to an attacker will greatly increase the likelihood that a potential attack vector will be revealed and subsequently exploited. Unfortunately, it appears that many developers are either unaware of or unconcerned with such disclosure because typing phpinfo.php into a search engine yields roughly 336,000 results, many of which point directly to a file executing the phpinfo() command, and therefore offering a bevy of information about the server. A quick refinement of the search criteria to include other key terms results in a subset of the initial results (old, vulnerable PHP versions) that would serve as prime candidates for attack because they use known insecure versions of PHP, Apache, IIS, and various supported extensions. Allowing others to view the results from phpinfo() is essentially equivalent to providing the general public with a road map to many of your server’s technical characteristics and shortcomings. Don’t fall victim to an attack simply because you’re too lazy to remove or protect this file. Change the Document Extension PHP-enabled documents are often easily recognized by their unique extensions, of which the most common include .php , .php3 , and .phtml . Did you know that this can easily be changed to any other extension you wish, even .html , .asp , or .jsp ? Just change the line in your httpd.conf file that reads AddType application/x-httpd-php .php by adding whatever extension you please, for example AddType application/x-httpd-php .asp Of course, you’ll need to be sure that this does not cause a conflict with other installed server technologies.
blog comments powered by Disqus |
|
|
|
|
|
|
|
/ 4 
