[Security Fix] PHP, IIS Securable (php.ini fix)

[evilxeddie]

I found this earlier when I was looking around the forums. This is an awesome post and should be used in your billing systems. I have recently started picking apart the vunerabilities, and the php.ini file was one of them....so please follow these steps and secure it.

**ALL CREDITS GO TO THE ORIGINAL POSTER "Jupos" ***As I said...I found this and saw it as a perfect fit for what we are doing now.

Securing your PHP.INI file!

1) display_errors
Disable the display_errors is the first thing. If it is ‘ On ‘ the errors on execution will be displayed to the user’s browser window. So the user can get an idea about the table structure and directory structure. You can avoid this by disabling display_errors in php.ini
Usage : display_errors=OFF


2) safe_mode
safe_mode is more relevent in a shared server environment. If safe_mode is enabled it will check a UID/GID comparison check on the file/directory to be accessed and compare it to the uid/gid of the script that is trying to access the file. If that are same it will allow the file access if not it will block the access. If you want to compare only GID then you can enable ” safe_mode_gid” value in php.ini .


3) sql.safe_mode
Make sql.safe_mode as Off. If it is on mysqli_connect() and mysql_connect() will connect to mysql with default username and password.


4) magic_quotes_gpc
Enable magic_quotes_gpc so that you can make your user inputs secure. It work s same as addslashes() function. It will add a backslash () with every single quotes, double quotes.


5) safe_mode_allowed_env_vars and safe_mode_allowed_env_vars
These two variables will protect environment variables from changing using user php scripts. The field safe_mode_allowed_env_vars contains a list of prefixes that identify the names of the environment variables the user is allowed to change. So that environment variables which are not starting with one of them defined in safe_mode_allowed_env_vars cannot be modified.
Another configuration safe_mode_protected_env_vars will set the names of environment variables that the user is not allowed to modify even if it is present in safe_mode_allowed_env_vars.


6) disable_functions
This will allow you to disable the insecure functions such as shell_exec, system,exec.

This information was taken from: Secure Your PHP Scripts

[MentaL]

[Y@$$ER LOTFY]

Big thanks bro...
Posted via Mobile Device

[evilxeddie]

Big thanks bro...
Posted via Mobile Device

Dont thank me...thank Jupos ....I just stumbled across this handy little toy

[Jangan]

Lol....
".htaccess"

If people learn how to code a proper htaccess, you will never have to worry about Dos or Proxys. Rest is done threw .php files.

the php.ini is just a guide line to manage php, other than that,

instead of turning off display errors, you can just create your own error:

PHP Code:

$.... = @mysql........ or die { echo "Custom Error"; } 


make sure you never use suppressors unless you are giving a custom error, else when you build a huge website and screw up, you will waste hours on fixing the problem :P