[WEB SECURITY] Securing apache installation with PHP

Hacker, Andrew andrewh at icsalabs.com
Thu May 19 11:32:39 EDT 2005


Hi Cedric,

Don't know how it applies to your particular environment due to the possible complexity of your web environment with multiple posted sites, but you might want to look at the php.ini "safe_mode" setting to restrict executing php script environment access.

Here's an article that talks about safe_mode and some other tips.

http://www.developer.com/lang/article.php/922871

Regards,
Andrew J Hacker, CISSP, ISSAP
Sr Security Analyst, ICSA Labs


-----Original Message-----
From: Cedric Foll [mailto:cedric.foll at ac-rouen.fr] 
Sent: Thursday, May 19, 2005 7:15 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Securing apache installation with PHP

Hi,

I have to set up a new web server where many users would be able to put PHP web pages.

I would like to harden my setup.

I've read these great articles http://www.securityfocus.com/infocus/1706
and http://www.securityfocus.com/infocus/1694.

I use all advices here and i'm going use mod_security.

What else can i do to protect my webserver ?

For exemple, there is disable_functions and disable_classes in php.ini.
What should I put there ?

Regards.

--
Cedric Foll
Ingénieur Sécurité & Réseaux
Division Informatique, Rectorat de Rouen

"He who joyfully marches to music in rank and file has already earned my contempt. He has been given a large brain by mistake, since for him the spinal cord would fully suffice."
Albert Einstein

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list