PHP安全优化
PHP Secure Configuration Checker,简称pcc,其目的是检测php配置文件中存在的安全漏洞,兼容 PHP >= 5.4, 或者 >= 5.0.
【详细说明参考】:https://github.com/sektioneins/pcc
一、安装
weget下载、解压
Pcc无需编译、安装。只需搭建好php环境,下载解压即可使用。
shell>
shell>
二、如何使用
- 使用pcc时需要切换非root用户,不然会报错误
- 支持命令行和网页执行(HTML)
shell>
shell>$ php phpconfigcheck.php
使用参数:-a 检测所有选项(包含隐藏),-j 输出格式为JSON,-h 输出格式为HTML
危险等级说明:
[high]:高危(深红色)
[medium]:中等(黄色)
[low]:低级别(绿色)
[maybe]:可选,根据实际情况修改(浅蓝)
[comment]:建议(蓝绿)
[ok]:正常(绿色)
三、安全修复
[high] php.ini / allow_url_fopen
fopen() is allowed to open URLs.
Deactivate, if possible. Allowing URLs in fopen() can be a suprising side-effect for unexperienced developers.
Even if deactivated, it is still possible to receive content from URLs, e.g. with curl.
allow_url_fopen :默认为1,允许打开远程连接
本选项激活了 URL 形式的 fopen 封装协议使得可以访问 URL 对象例如文件。默认的封装协议提供用 ftp 和 http 协议来访问远程文件,一些扩展库例如 zlib 可能会注册更多的封装协议。
【详见官方手册】:
https://www.php.net/manual/zh/filesystem.configuration.php
解决办法:编辑php.ini,增加选项
allow_url_fopen = Off
==============================================================================
[high] php.ini / enable_dl
PHP can load extensions during runtime
Deactivate this option to prevent arbitrary code to be loaded during runtime (see dl()).
enable_dl:默认为1 允许加载动态模块
该指令仅对 Apache 模块版本的 PHP 有效。 你可以针对每个虚拟机或每个目录开启或关闭 dl() 动态加载 PHP 模块。
【详见官方手册 】:
https://www.php.net/manual/zh/info.configuration.php#ini.enable-dl
解决办法:编辑php.ini,增加选项:
enable_dl = Off
==============================================================================
3.3 assert.active
[medium] php.ini / assert.active
assert is active.
assert() evaluates code just like eval(). Unless it is actually required in a live environment,
which is almost certainly not the case, this feature should be deactivated.
assert.active :断言评测.默认为1 激活 assert()
【详见官方手册】:
https://www.php.net/manual/zh/info.configuration.php#ini.assert.active
解决办法:编辑php.ini,增加选项:
assert.active = Off
==============================================================================
3.4 disable_classes
[medium] php.ini / disable_classes
no classes disabled.
Potentially dangerous and unused classes should be deactivated.
disable_classes : 禁止某些潜在威胁的类,多个用,分隔
【详见官方手册】:
https://www.php.net/manual/zh/ini.core.php#ini.disable-classes
解决办法:编辑php.ini,增加选项:
disable_classes = classes1,classes2,classes3
==============================================================================
3.5 disable_functions
[medium] php.ini / disable_functions
no functions disabled.
Potentially dangerous and unused functions should be deactivated, e.g. system().
disable_functions :禁止危险函数,仅对php内部函数有用,不影响用户自定义函数
详见官方手册:https://www.php.net/manual/zh/ini.core.php#ini.disable-functions
解决办法:编辑php.ini,增加选项:
disable_functions = dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv,apache_setenv,symlink,link,ini_set
==============================================================================
3.5 display_errors
[medium] php.ini / display_errors
display_errors is on.
Error messages can divulge information about the inner workings of an application and may include private information such as Session-ID, personal data, database structures, source code exerpts. It is recommended to log errors, but not to display them on live systems.
display_errors: 输出错误信息到用户屏幕,辅助开发功能,生产环境不建议使用。
【详见官方手册】:
https://www.php.net/manual/zh/errorfunc.configuration.php#ini.display-errors
解决办法:编辑php.ini,增加选项:
display_errors = off
==============================================================================
3.6 max_execution_time
[medium] php.ini / max_execution_time
Execution time is not limited.
In order to prevent denial-of-service attacks where an attacker tries to keep your server's CPU busy, this value should be set to the lowest possible value, e.g. 30 (seconds).
max_execution_time 最大执行时间,默认设为 30
脚本被解析器中止之前允许的最大执行时间,单位秒。 这有助于防止写得不好的脚本占尽服务器资源。 默认设置为 30。 从命令行运行PHP时,没有限制。
【详见官方手册】:
https://www.php.net/manual/zh/info.configuration.php#ini.max-execution-time
解决办法:编辑php.ini,增加选项:
max_execution_time = 30
==============================================================================
3.7 session.use_strict_mode
[medium] php.ini / session.use_strict_mode
strict mode not activated.
If activated, PHP will regenerate unknown session IDs. This effectively counteracts session fixation attacks.
session.use_strict_mode :默认为0(禁用)
session.use_strict_mode指定模块是否将使用严格会话ID模式。如果启用此模式,则模块不接受未初始化的会话ID。如果从浏览器发送了未初始化的会话ID,则会将新的会话ID发送到浏览器。通过采用严格模式的会话,可以保护应用程序免于会话固定。默认为0(禁用)
【详见官方手册】:
https://www.php.net/manual/zh/session.configuration.php#ini.session.use-strict-mode
解决办法:编辑php.ini,增加选项:
session.use_strict_mode = On
==============================================================================
3.8 php.ini / zend.assertions
[medium] php.ini / zend.assertions
assert is active.
assert() in able to evaluate code. Please deactivate this feature for production environments by setting zend.assertions=-1.
zend.assertions : 断言等级配置,默认为1
断言等级配置。设置为1时,将生成并执行声明代码(开发模式)。设置为0时,将生成断言代码,但在运行时将跳过(不执行)断言代码。设置为-1时,将不会生成断言代码,从而使资产成本为零(生产模式)。默认配置为1
注意:
1.如果进程以生产方式启动,则zend.assertions无法在运行时更改,因为未生成断言代码。
2.如果进程以开发模式启动,则zend.assertions无法在运行时设置为-1
【详见官方手册】:
https://www.php.net/manual/zh/ini.core.php#ini.zend.assertions
解决办法:编辑php.ini,增加选项:
zend.assertions = -1
==============================================================================
3.9 open_basedir
[low] php.ini / open_basedir
open_basedir not set.
Usually it is a good idea to restrict file system access to directories related to the application, e.g. the document root.
open_basedir 限制目录权限
将PHP可以访问的文件限制为指定的目录树,包括文件本身。此指令不受安全模式打开或关闭的影响。默认为空.
【详见官方手册】:
https://www.php.net/manual/zh/ini.core.php#ini.open-basedir
解决办法:编辑php.ini,增加选项:
open_basedir = /home/www/
==============================================================================
3.10 file_uploads
[maybe] php.ini / file_uploads
file uploads are allowed.
If an application does not require HTTP file uploads, this setting should be deactivated.
file_uploads
是否允许HTTP文件上传。另请参见upload_max_filesize,upload_tmp_dir和post_max_size指令。
【详见官方手册】:
https://www.php.net/manual/zh/ini.core.php#ini.file-uploads
解决办法:编辑php.ini,增加选项:
file_uploads = On
====================================================
3.11 max_input_time
[maybe] php.ini / max_input_time
Input parsing time not limited.
It may be useful to limit the time a script is allowed to parse input. This should be decided on a per application basis
max_input_time :脚本最大执行时间,单位秒,默认为30。
最大执行时间不会影响系统调用和系统操作等。更多细节参见 set_time_limit()。
其他 web 服务器也可以有其他超时设置,也有可能中断 PHP 的执行。 Apache 有一个 Timeout 指令,IIS 有一个 CGI 超时功能。 他们默认都是 300 秒。更多具体信息参见你的 web 服务器的文档。
【详见官方手册】:
https://www.php.net/manual/zh/info.configuration.php#ini.max-input-time
解决办法:编辑php.ini,增加选项:
max_execution_time = 30
==============================================================================
3.12 memory_limit
[maybe] php.ini / memory_limit
Memory limit is 128M or more.
A high memory limit may easily lead to resource exhaustion and thus make your application vulnerable to denial-of-service attacks.
This value should be set approximately 20% above an empirically gathered maximum memory requirement
memory_limit:单个脚本内存限制,默认为128M
设置了一个脚本允许分配的最大内存量,以字节(bytes)为单位。这有助于防止写得不好的脚本消耗掉服务器上所有可用的内存。请注意,如果不需要内存限制,请将此指令设置为 -1
【详见官方手册】:
https://www.php.net/manual/zh/ini.core.php#ini.memory-limit
解决办法:编辑php.ini,增加选项:
memory_limit = 128M
==============================================================================
3.13 session.cookie_lifetime
[maybe] php.ini / session.cookie_lifetime
no implicit lifetime for session cookie.
Not limiting the cookie lifetime increases the chance for an attacker to be able to steal the session cookie. Depending on your application, this should be set to a reasonable value here or with session_set_cookie_params().
session.cookie_lifetime
浏览器中cookie 的生命周期。单位为妙,默认为 0, 关闭浏览器cookie才会失效。
【详见官方手册】:
https://www.php.net/manual/zh/session.configuration.php#ini.session.cookie-lifetime
解决办法:编辑php.ini,增加选项:
session.cookie_lifetime = 0
=============================================================================
3.14 session.cookie_samesite
[maybe] php.ini / session.cookie_samesite
SameSite is unset.
Set SameSite to `Lax` or `Strict` to better protect against CSRF.
session.cookie_samesite : 此功能自php7.3以后支持
Cookie不应与跨站点请求一起发送。此断言允许用户代理减轻跨域信息泄漏的风险,并提供针对跨站点请求伪造攻击(CSRF)的某种保护。请注意,并非所有浏览器都支持此功能。
默认为空,空值表示将不会设置SameSite cookie属性.
session.cookie_samesite = Strict # 严格模式
表明这个 cookie 在任何情况下都不可能作为第三方 cookie,绝无例外;
session.cookie_samesite = Lax # 宽松模式
比 Strict 放宽了点限制:假如这个请求是我上面总结的那种同步请求(改变了当前页面或者打开了新页面)且同时是个 GET 请求(因为从语义上说 GET 是读取操作,比 POST 更安全),则这个 cookie 可以作为第三方 cookie。以上内容摘自:https://blog.csdn.net/mystonelxj/article/details/82349670
【详见官方手册】:
https://www.php.net/manual/zh/session.configuration.php#ini.session.cookie-samesite
解决办法:编辑php.ini,增加选项:
session.cookie_samesite = Strict
==============================================================================
3.15 session.cookie_secure
[maybe] php.ini / session.cookie_secure
no implicit secure-flag for session cookie.
This option controls if cookies are tagged as secure and should therefore be sent over SSL encrypted connections only. It should either be activated here or in your application with session_set_cookie_params().
session.cookie_secure:指定是否仅通过安全连接(HTTPS)发送 cookie。默认为 off;
【详见官方手册】:
https://www.php.net/manual/zh/session.configuration.php#ini.session.cookie-secure
解决办法:编辑php.ini,增加选项:
session.cookie_secure = On
==============================================================================
3.16 session.referer_check
[comment] php.ini / session.referer_check
referer check not activated.
PHP can invalidate a session ID if the submitted HTTP Referer does not contain a configured substring. The Referer can be set by a custom client/browser or plugins (e.g. Flash, Java). However it may prevent some cases of CSRF attacks, where the attacker can not control the client's Referer.
session.referer_check :默认为空
包含有用来检查每个 HTTP Referer 的子串。如果客户端发送了 Referer 信息但是在其中并未找到该子串,则嵌入的会话 ID 会被标记为无效。默认为空。
【详见官方手册】:
https://www.php.net/manual/zh/session.configuration.php#ini.session.cookie-secure
解决办法:编辑php.ini,增加选项:
session.referer_check = On
(完)
|