Shulou(Shulou.com)06/03 Report--

Editor to share with you an example of PHP security analysis, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!

I. apache server security settings

1. Run as Nobody user

In general, Apache is installed and run by Root. If the Apache Server process has the privileges of the Root user, it will pose a great threat to the security of the system, and you should ensure that the Apache Server process runs with the lowest possible privileges. It is relatively safe to run Apache as a Nobody user by modifying the following options in the httpd.conf file.

User nobody

Group#-1

2. Permissions of ServerRoot directory

To ensure that all configurations are appropriate and secure, access to the Apache home directory needs to be strictly controlled so that non-superusers cannot modify the contents of that directory. The home directory of Apache corresponds to the Server Root control of the Apache Server configuration file httpd.conf, which should be:

Server Root / usr/local/apache

3. Configuration of SSI

Add the Includes NO EXEC option to the Options command in the configuration file access.conf or httpd.conf to disable the execution function in Apache Server. Prevent users from directly executing the execution program in the Apache server, resulting in the openness of the server system.

Options Includes Noexec

4. Prevent users from modifying system settings

Make the following settings in the configuration file of the Apache server to prevent users from creating and modifying .htaccess files and from exceeding the system security features that can be defined.

AllowOveride None

Options None

Allow from all

And then configure the specific directory appropriately.

5. Change the default access characteristics of the Apache server

The default setting of Apache can only guarantee a certain degree of security. If the server can find the file through the normal mapping rules, then the client will get the file. For example, http://local host/~ root/ will allow users to access the entire file system. Add the following to the server file:

Order deny,ellow

Deny from all

Default access to the file system is disabled.

6. Security considerations of CGI scripts

CGI scripts are a series of programs that can be run through a Web server. In order to ensure the security of the system, we should ensure that the author of the CGI is trusted. For CGI, it is best to limit it to a specific directory, such as cgi-bin, which is easy to manage; in addition, you should ensure that the files in the CGI directory are unwritable, so as to avoid some deceptive programs staying or mixing in them; if you can provide users with a module of a secure CGI program as a reference, it may reduce many unnecessary troubles and security risks. Remove all scripts for non-business applications in the CGI directory to prevent abnormal information disclosure.

7. SSL link encryption

The above common measures can give Apache Server a basic safe operating environment, obviously need to do further detailed decomposition in the specific implementation, and work out a security configuration scheme in line with the actual application.

II. PHP security settings

The server cannot block all security issues, such as program vulnerabilities, user input forms, PHP file permissions, and so on.

You can also confuse hackers or people with ulterior motives by some means.

1. The problem of program code vulnerabilities

The major weakness of many PHP programs is not the problem of the PHP language itself, but the lack of security awareness of the programmer. Therefore, you must always pay attention to the problems that may exist in each piece of code to discover the possible impact of incorrect data submission.

The copy code is as follows:

You must always pay attention to your code to make sure that every variable submitted from the client is properly checked, and then ask yourself the following questions:

Does this script only affect the expected files?

Can abnormal data make a difference when it is submitted?

Can this script be used for unplanned purposes?

Can this script be combined with other scripts to do bad things?

Are all transactions fully recorded?

Ask yourself these questions as you write your code, or you may have to rewrite your code later in order to increase security. If you pay attention to these problems, it may not completely guarantee the security of the system, but at least it can improve the security.

You can also consider turning off register_globals,magic_quotes or other settings that make programming easier but confuse the legitimacy, source, and value of a variable.

2. User input form problem

Validate any data entered by the user to ensure the security of the PHP code.

Note that 1:JS is only created to improve the experience of visiting users, not a verification tool. Because any visiting user may or may inadvertently disable the execution of client script, thus skipping this layer of authentication. So we have to verify this data on the server-side program of PHP.

Note 2: do not use the super variable $_ SERVER ['HTTP_REFERER'] to check the source address of the data. A very small rookie hacker will use tools to forge the data of this variable, using functions such as Md5 or rand to generate a token as far as possible. When verifying the source, verify whether the token matches.

3. PHP file permissions

PHP is designed to access the file system at the user level, so it is entirely possible to write a piece of PHP code to read system files such as / etc/passwd, change network connections, send a large number of print tasks, and so on. Therefore, you must make sure that the PHP code reads and writes the appropriate files. Take a look at the code below. The user wants to delete a file in his home directory. It is assumed that the file system is managed through the web interface, so the Apache user has the right to delete files in the user directory.

The copy code is as follows:

Now that the username variable can be submitted through the user form, you can submit someone else's user name and file name and delete the file. In this case, other forms of authentication should be considered:

Only web users of PHP are given very limited permissions.

Check all submitted variables.

The following are more secure validation and checking of file names and variables:

The copy code is as follows:

4. Hide the PHP extension

Generally speaking, it is considered ineffective to improve security through hidden means. But in some cases, it is worthwhile to add as much security as possible.

There are some simple ways to help hide PHP, which makes it harder for attackers to discover system vulnerabilities. Setting expose_php = off in the php.ini file reduces the useful information they can get.

Another strategy is to have the web server resolve different extensions with PHP. Whether through the .htaccess file or the Apache configuration file, you can set a file extension that can mislead an attacker:

# make PHP look like other programming languages

AddType application/x-httpd-php .asp .py .pl

# make PHP look like an unknown file type

AddType application/x-httpd-php .bop .foo .133t

# make the PHP code look like a HTML page

AddType application/x-httpd-php .htm .html

For this method to work, you must change the extension of the PHP file to the extension above. This improves security by hiding, although the defense is low and has some drawbacks.

3. Mysql database security settings

PHP itself does not protect the database. The following sections only describe how to use PHP scripts to perform basic access and operations to the database. Remember a simple principle: go deep into defense. The more measures are taken to protect the database, the more difficult it will be for an attacker to obtain and use the information in the database. The fear of being attacked can be reduced by designing and applying databases correctly.

1. Database design

Applications should never use database owners or superuser accounts to connect to the database, because these accounts can perform arbitrary operations, such as modifying the database structure (such as deleting a table) or emptying the contents of the entire database. The user settings of the screenshot below are dangerous.

A different database account should be created for each aspect of the program and very limited permissions should be given to database objects. Only the permissions needed to complete its functions are assigned to prevent the same user from doing what another user does. In this way, even if the attacker takes advantage of the program vulnerability to obtain access to the database, it can only achieve the same scope of influence as the program at most.

two。 Database connection problem

Establishing a connection based on SSL encryption technology can increase the security of client-server communication, or SSH can also be used to encrypt the connection between client and database. If these techniques are used, it is difficult for an attacker to monitor server traffic or get information about the database.

3. Encryption of database data

SSL/SSH can protect the data exchanged between the client and the server, but SSL/SSH can not protect the data already in the database. SSL is just a protocol that encrypts network data streams.

If an attacker obtains permission to access the database directly (bypassing the web server), sensitive data can be exposed or misused unless the database protects the information itself. Encrypting the data in the database is an effective way to reduce such risks, but only a few databases provide these encryption functions.

A simple solution to this problem is to create your own encryption mechanism and then use it in PHP programs. The most common example is to store the MD5 encrypted hash in the database instead of the original plaintext password.

The copy code is as follows:

4. SQL injection problem

Direct SQL command injection is a technique commonly used by attackers to create or modify existing SQL statements, so as to achieve the purpose of obtaining hidden data, overwriting key values, or even executing database host operating system commands. This is achieved by the application taking user input and combining it with static parameters into a SQL query. Here are some real examples.

The copy code is as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.