securing_php
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| securing_php [2015/10/15 13:56] – created luke7858 | securing_php [2024/05/23 07:26] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| After you have installed php you should go about securing php. | After you have installed php you should go about securing php. | ||
| \\ | \\ | ||
| - | One major issue with php.ini file is a line of code: | + | One major issue with php.ini file the following entry. Please note, if the line below is commented out AND =0 is NOT specified then the server will default to the value =1 |
| <sxh bash> | <sxh bash> | ||
| cgi.fix_pathinfo=1 | cgi.fix_pathinfo=1 | ||
| </ | </ | ||
| - | You can grep for the file in your php.ini | + | You can find this entry in your php.ini with the following command: |
| <sxh bash> | <sxh bash> | ||
| grep ' | grep ' | ||
| Line 12: | Line 12: | ||
| Explanation: | Explanation: | ||
| \\ | \\ | ||
| - | When | + | When the value of cgi.fix_pathinfo=1 then the PHP interpreter will process files with similar file names rather than exact names. |
| + | \\ | ||
| + | For example, if the script mysript.php cannot be found the PHP interpreter will try to find a similar file name such as myscript.jpg and try to execute this. | ||
| + | \\ | ||
| + | This is obviously a security risk. | ||
| + | \\ | ||
| + | \\ | ||
| + | Make sure you commend out cgi.fix_pathinfo=1 | ||
| + | \\ | ||
| + | Example: | ||
| + | <sxh bash> | ||
| + | ; | ||
| + | </ | ||
| + | And then add the following: | ||
| + | <sxh bash> | ||
| + | ; | ||
| + | </ | ||
| + | === Testing === | ||
| + | The following command can be used to view the value of php-fpm cgi.fix_pathinfo | ||
| + | <sxh bash> | ||
| + | php-fpm -i 2>&1 | grep ' | ||
| + | </ | ||
securing_php.1444917398.txt.gz · Last modified: 2024/05/23 07:26 (external edit)