PHP Configuration Hardening


Posted: by Ben Fuhrmannek   |   Auf Deutsch lesen   |  More posts about Blog PHP

Background

Among the most tedious tasks of PHP security testing is the check for insecure PHP configuration. As a successor of our PHP Security Poster, we have created a script to help system administrators as well as security professionals to assess the state of php.ini and related topics as quickly and as thoroughly as possible. For later reference, the script is called "PHP Secure Configuration Checker" , or pcc.

Inspiration and previous work

  • phpinfo(): Just like phpinfo() the pcc is supposed to give a brief overview of security related configuration issues.
  • phpsecinfo: This is an alternative project that appears to have been discontinued in 2007.
  • SektionEins PHP Security Poster (2009-2011): Some text snippets and recommendations of our own work we put into the popular poster have been reused.

Ideas, Features and Software Design

  • One single file for easy distribution: In respect to an update process and access restrictions, a single file can be handled easier than a whole web application monster.
  • Simple tests for each security related ini entry: Testing php.ini on a live system is the main aspect of this project. Each entry is supposed to be checked or otherwise actively ignored.
  • A few other tests: pcc is not restricted to php.ini checks. Other ideas can be implemented as well.
  • Compatibility: PHP 5.4 is supposed to work. Older PHP versions are not supposed to be used in the wild anyway.
  • NO complicated/overengineered code, e.g. no classes/interfaces, test-frameworks, libraries, ...: In most cases, a recommendation is based on a simple boolean decision, e.g. is it 1 or is it 0. The corresponding code is supposed to reflect this simplicity. Also, simple code leads to fewer programming errors.
  • Novice factor: The result is supposed to help secure the PHP environment. There is no need to obfuscate, encrypt or hide the code. Even unexperienced developers or system administrators may take a glance at the code - free of charge.
  • NO (or very few) dependencies: pcc is supposed to run in the most simplistic (yet still realistically sane) PHP environment. Writing files and loading bloated library code should be avoided.
  • Safeguards: In order to prevent information disclosure, IP restrictions are implemented, as well as a lock-out mechanism based on the script's modification time.
  • Suhosin: pcc checks the correct configuration of the Suhosin extension.

Download

The first (but comprehensive) development version can be downloaded from github: https://github.com/sektioneins/pcc

Please don't hesitate to use the issue tracker for ideas and bug reports.

Screenshot

The HTML output lists all recommendations in color codes ordered by severity. A status line on top of the list shows the number of issues.

/images/pcc-screenshot.png

bf