During the last year I’ve been specializing in PHP Web Hosting administration and took a course in Advanced Web Security. This was partly due to the increasing threats from numerous hacker attacks on popular content management systems such as WordPress, Joomla, Drupal, and others. In this post I will try to explain some of the major issues and hopefully help you strengthen your web hosting security (if you have your own VPS server or Dedicated Server since on Shared Web Hosting plans you don’t have permissions to edit the system configuration).
Due to various reasons php seems to be one of the most flexible web development platform, unfortunately being flexible sometimes leads to numerous security holes which can sometimes lead to a compromised websites. This is especially serious in popular website content management systems where “one” plugin or even the “CMS core” contains “insecure” code. In order to explain what insecure code is, I will list you some of the most popular types of “insecure” statement which most of the time eases data manipulation but it does more harm than good at the end.
- Register Global Variables = OFF – yes I know that global variables are very easy to work with, but this thing is so dangerous as all variables passed in a GET or POST calls to your scripts are auto-processed and if you don’t declare with null all your variables before you use them. To be safer you should use $_POST[“variable”] or $_GET[“variable”] since they don’t override all your variables. Note that they sill can be compromised and its a very good idea if you do some pattern matching prior to processing all input.
- Disable Dangerous PHP functions and never use them! Some of the most fatal security ones are dl,system,exec,passthru,shell_exec you can disable them from php.ini by editing the disable_functions value. In general those commands are not really used and should be avoided. Note that for example shell_exec is used by ImageMagic and you should not disable it if you use it. The best way to avoid such security issues is not to use those commands. We have found that EVAL for example is the most compromised function as it allows the execution of php code and if in combination with insecure global variable it can lead to a potentially destructive hacks.
- Remote URL injections using allow_url_fopen NOTE: if enabled, allow_url_fopen allows PHP’s file functions — such as file_get_contents() and the include and require statements — can retrieve data from remote locations, like an FTP or web site. . The problem is that this function is enabled by default in standard PHP configuration which means that you should disable it in order to prevent some of the serious PHP code exploits. Note that (from my experience) the actual Remote URL file inclusion is used in extremely rare cases which pretty much gives you the possibility to have this function disabled by default. From around 4,000 websites we had only 2 or 3 to use it.
It is sad to know that the list of possible php security issues are a big list and new ones are constantly added with each new version. That’s why it is our duty to try to keep our source code secure as possible (in my view as a professional php programmer) and keep the Apache/PHP configuration with lowest possible hazardous functions (in my view as a web hosting administrator).
I will post some more web hosting security issues later on, but I suppose those are the most fundamental issues which lead to about 90% of all hacker attacks. There are others which are hidden deep in the Apache code, and some more PHP functions that can be twisted in the wrong way to enable hacker access. I will list them in separate post.
If you want to add something else please feel free to post comments.