Root access notifications on webservers Update your RH linux box
Jun 30

Securing PHP on CPanel systems

Web Hosting, XSS and Security Add comments

Hardening PHP for dangerous functions:

First of all, locate your php.ini

If you don’t know where you php.ini is, it’s easy.
simply upload this file in your www folder

PHP Code:
< ?
phpinfo();
?>
name the file something say info.php
and call the file as http://domain.com/info.php

a page will load, and at the top part, something like this line will be shown i.e on the 6th row

The following is from my CPanel server:
Code:

——————————————————————
| Configuration File (php.ini) Path: /usr/local/lib/php.ini |
——————————————————————

The following is from my Plesk server:
Code:

——————————————————–
| Configuration File (php.ini) Path: /etc/php.ini |
——————————————————–

In SSH:
Code:

cp /usr/local/lib/php.ini /usr/local/lib/php.ini.orig

edit the file (the php.ini file) :
Code:

disable_functions = phpinfo ,system, include, chown, chmod, exec, passthru, mail, readfile , dir , read, readdir

which will disable the mentioned commands and any other command that you want to disable as mentioned in that line.

You can disable any command such way.

Using CPanel ?

login to your WHM
Click Tweak Security [server setup group]
Click php open_basedir tweak
and select Enable php open_basedir Protection

again,
Click Update Apache [software group]
select PHP suEXEC Support

and build your apache. You will be pretty safe with phpsuexec and open_base_dir restriction for php

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Technorati
  • BlinkList
  • Live
  • Reddit
  • Slashdot
  • StumbleUpon

One Response to “Securing PHP on CPanel systems”

  1. cPanelDavidG UNITED STATES Mac OS X Mozilla Firefox 2.0.0.8 Says:
    October 26th, 2007 at 9:03 pm

    From HWD:
    The following approved comment is more up-to-date than my posted article which I originally wrote some time ago. Please take heed of Davids comments:
    From cPanelDavidG:

    Note that PhpSuExec has been replaced with SuPHP in later builds of cPanel/WHM. SuPHP is essentially a drop-in replacement for the older PhpSuExec.

    You may also wish to consider installing Suhosin if you are securing your PHP server. You can do this via WHM -> Software -> Apache Update and when you get to “Profile :: Apache :: PHP Main :: PHP Specific :: Basic” click on “Advanced Configuration” and select Suhosin.

    If you are not running concurrent PHP (not running PHP 4 and 5 simultaneously), you can edit your PHP configuration by going to WHM -> Service Configuration -> PHP Configuration Editor and switching to the Advanced mode. Note, on concurrent PHP systems this editor will only edit the php.ini for PHP 5.

Leave a Reply