PHP Security Tip #13

Cal Evans (Editor-in-Chief) | 4 comments | March 20th, 2007

p. Security is a mindset, not just something you do. It colors your application design as well as your coding. However, you also need to constantly monitor your production environment. That’s where selecting the right tool comes into play. I know I’ve mentioned “PHPSecInfo”:http://phpsec.org/projects/phpsecinfo/ before but I think this tool is important enough to warrant it’s own post.

p. “PHPSecInfo”:http://phpsec.org/projects/phpsecinfo/ is a great tool to use to keep an eye on your production environment. It was written by Ed Finkler of “CERIAS”:http://www.cerias.purdue.edu/, the Center for Education and Research in Information Assurance and Security at Purdue University. It is officially a project of the “PHP Security Consortium”:http://phpsec.org. Here’s what the PHPSecInfo homepage has to say about itself.

bq. “PHPSecInfo”:http://phpsec.org/projects/phpsecinfo/ provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

p. If you need more info, here’s “the link”:http://devzone.zend.com/node/view/id/1099 to a short interview with Ed talking about PHPSecInfo. Here is another “link”:http://devzone.zend.com/node/view/id/1735 to the latest release notice for version 0.2.

p. As with all security measures, by itself it’s not the silver bullet. Used properly though, it can be part of a comprehensive solution.

p. =C=

Published: March 20th, 2007 at 12:43
Categories: Uncategorized
Tags: Security Tips

← Zend Framework Beta 0.9.0 Released

PHP Security Tip #14 →

4 comments to “PHP Security Tip #13”

pr0teus666
March 22nd, 2007 at 12:38 pm

It should be noted that if you use suPHP like myself to force scripts to run as a particular user/group (e.g. for each virtual host) that PHPSecInfo will complain that you do not have Force CGI Redirect enabled. This is safe to ignore since you’re actually going through a suEXEC style wrapper when using suPHP rather than direct Apache DSO FastCGI.

breich
March 22nd, 2007 at 8:56 pm

I was just curious if any work had been done to make the account and group checking tests compatible with a Windows environment. Currently it appears to check that the user and group id are under 100 which is only relevant on a *nix environment. I’d be interested in coding this test myself if no work has been done in this area

funkatron
March 24th, 2007 at 3:37 am

@pr0teus666: I’m aware of the false positive with suPHP — I use it for a number of projects, actually. I haven’t yet sorted out how to detect if suPHP is being used. Any hints would be appreciated.

FWIW, I think "false positive" isn’t quite the right term for any result PHPSecInfo returns. They aren’t absolute final words, but (sometimes strong) recommendations to make sure a particular aspect of your environment is secure.

@breich: we could absolutely use help getting that test to be relevant on Windows. Sign up for the mailing list and introduce yourself!

pr0teus666
March 26th, 2007 at 8:00 pm

@funkatron

I will get back to you on this when I get home from work. As far as I know there’s really no way to detect if suPHP is in use from the PHP environment but I could be mistaken on that.