1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
|
<HTML
><HEAD
><TITLE
>Security</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
REL="HOME"
TITLE="PHP Manual"
HREF="manual.html"><LINK
REL="UP"
TITLE="Getting Started"
HREF="getting-started.html"><LINK
REL="PREVIOUS"
TITLE="Configuration"
HREF="configuration.html"><LINK
REL="NEXT"
TITLE="Apache module"
HREF="security.apache.html"><META
NAME="HTTP_EQUIV"
CONTENT="text/html; charset=ISO-8859-1"></HEAD
><BODY
CLASS="chapter"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>PHP Manual</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="configuration.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="security.apache.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="chapter"
><H1
><A
NAME="security"
>Chapter 4. Security</A
></H1
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
><A
HREF="security.html#security.cgi"
>CGI binary</A
></DT
><DT
><A
HREF="security.apache.html"
>Apache module</A
></DT
></DL
></DIV
><P
> PHP is a powerful language and the interpreter, whether included
in a web server as a module or executed as a separate
<SPAN
CLASS="acronym"
>CGI</SPAN
> binary, is able to access files, execute
commands and open network connections on the server. These
properties make anything run on a web server insecure by default.
PHP is designed specifically to be a more secure language for
writing CGI programs than Perl or C, and with correct selection of
compile-time and runtime configuration options it gives you
exactly the combination of freedom and security you need.
</P
><P
> As there are many different ways of utilizing PHP, there are many
configuration options controlling its behaviour. A large
selection of options guarantees you can use PHP for a lot of
purposes, but it also means there are combinations of these
options and server configurations that result in an insecure
setup. This chapter explains the different configuration option
combinations and the situations they can be safely used.
</P
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="security.cgi"
>CGI binary</A
></H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN2195"
>Possible attacks</A
></H2
><P
> Using PHP as a <SPAN
CLASS="acronym"
>CGI</SPAN
> binary is an option for
setups that for some reason do not wish to integrate PHP as a
module into server software (like Apache), or will use PHP with
different kinds of CGI wrappers to create safe chroot and setuid
environments for scripts. This setup usually involves installing
executable PHP binary to the web server cgi-bin directory. CERT
advisory <A
HREF="http://www.cert.org/advisories/CA-96.11.interpreters_in_cgi_bin_dir.html"
TARGET="_top"
>CA-96.11</A
> recommends
against placing any interpreters into cgi-bin. Even if the PHP
binary can be used as a standalone interpreter, PHP is designed
to prevent the attacks this setup makes possible:
</P
><P
></P
><UL
><LI
><P
> Accessing system files: <TT
CLASS="filename"
>http://my.host/cgi-bin/php?/etc/passwd</TT
>
</P
><P
> The query information in a url after the question mark (?) is
passed as command line arguments to the interpreter by the CGI
interface. Usually interpreters open and execute the file
specified as the first argument on the command line.
</P
><P
> When invoked as a CGI binary, PHP refuses to interpret the
command line arguments.
</P
></LI
><LI
><P
> Accessing any web document on server: <TT
CLASS="filename"
>http://my.host/cgi-bin/php/secret/doc.html</TT
>
</P
><P
> The path information part of the url after the PHP binary name,
<TT
CLASS="filename"
>/secret/doc.html</TT
> is
conventionally used to specify the name of the file to be
opened and interpreted by the <SPAN
CLASS="acronym"
>CGI</SPAN
> program.
Usually some web server configuration directives (Apache:
Action) are used to redirect requests to documents like
<TT
CLASS="filename"
>http://my.host/secret/script.php3</TT
> to the
PHP interpreter. With this setup, the web server first checks
the access permissions to the directory <TT
CLASS="filename"
>/secret</TT
>, and after that creates the
redirected request <TT
CLASS="filename"
>http://my.host/cgi-bin/php/secret/script.php3</TT
>.
Unfortunately, if the request is originally given in this form,
no access checks are made by web server for file <TT
CLASS="filename"
>/secret/script.php3</TT
>, but only for the
<TT
CLASS="filename"
>/cgi-bin/php</TT
> file. This way
any user able to access <TT
CLASS="filename"
>/cgi-bin/php</TT
> is able to access any
protected document on the web server.
</P
><P
> In PHP, compile-time configuration option <A
HREF="install.configure.html#install.configure.enable-force-cgi-redirect"
>--enable-force-cgi-redirect</A
>
and runtime configuration directives <A
HREF="configuration.html#ini.doc-root"
>doc_root</A
> and <A
HREF="configuration.html#ini.user-dir"
>user_dir</A
> can be used to prevent
this attack, if the server document tree has any directories
with access restrictions. See below for full the explanation
of the different combinations.
</P
></LI
></UL
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="security.cgi.default"
>Case 1: only public files served</A
></H2
><P
> If your server does not have any content that is not restricted
by password or ip based access control, there is no need for
these configuration options. If your web server does not allow
you to do redirects, or the server does not have a way to
communicate to the PHP binary that the request is a safely
redirected request, you can specify the option <A
HREF="install.configure.html#install.configure.enable-force-cgi-redirect"
>--enable-force-cgi-redirect</A
>
to the configure script. You still have to make sure your PHP
scripts do not rely on one or another way of calling the script,
neither by directly <TT
CLASS="filename"
>http://my.host/cgi-bin/php/dir/script.php3</TT
>
nor by redirection <TT
CLASS="filename"
>http://my.host/dir/script.php3</TT
>.
</P
><P
> Redirection can be configured in Apache by using AddHandler and
Action directives (see below).
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="security.cgi.force-redirect"
>Case 2: using --enable-force-cgi-redirect</A
></H2
><P
> This compile-time option prevents anyone from calling PHP
directly with a url like <TT
CLASS="filename"
>http://my.host/cgi-bin/php/secretdir/script.php3</TT
>.
Instead, PHP will only parse in this mode if it has gone through
a web server redirect rule.
</P
><P
> Usually the redirection in the Apache configuration is done with
the following directives:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
> Action php3-script /cgi-bin/php
AddHandler php3-script .php3
</PRE
></TD
></TR
></TABLE
><P
> This option has only been tested with the Apache web server, and
relies on Apache to set the non-standard CGI environment variable
<TT
CLASS="envar"
>REDIRECT_STATUS</TT
> on redirected requests. If your
web server does not support any way of telling if the request is
direct or redirected, you cannot use this option and you must use
one of the other ways of running the CGI version documented
here.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="security.cgi.doc-root"
>Case 3: setting doc_root or user_dir</A
></H2
><P
> To include active content, like scripts and executables, in the
web server document directories is sometimes consider an insecure
practice. If, because of some configuration mistake, the scripts
are not executed but displayed as regular HTML documents, this
may result in leakage of intellectual property or security
information like passwords. Therefore many sysadmins will prefer
setting up another directory structure for scripts that are
accessible only through the PHP CGI, and therefore always
interpreted and not displayed as such.
</P
><P
> Also if the method for making sure the requests are not
redirected, as described in the previous section, is not
available, it is necessary to set up a script doc_root that is
different from web document root.
</P
><P
> You can set the PHP script document root by the configuration
directive <A
HREF="configuration.html#ini.doc-root"
>doc_root</A
> in the
<A
HREF="configuration.html#configuration.file"
>configuration file</A
>, or
you can set the environment variable
<TT
CLASS="envar"
>PHP_DOCUMENT_ROOT</TT
>. If it is set, the CGI version
of PHP will always construct the file name to open with this
<TT
CLASS="parameter"
><I
>doc_root</I
></TT
> and the path information in the
request, so you can be sure no script is executed outside this
directory (except for <TT
CLASS="parameter"
><I
>user_dir</I
></TT
>
below).
</P
><P
> Another option usable here is <A
HREF="configuration.html#ini.user-dir"
>user_dir</A
>. When user_dir is unset,
only thing controlling the opened file name is
<TT
CLASS="parameter"
><I
>doc_root</I
></TT
>. Opening an url like <TT
CLASS="filename"
>http://my.host/~user/doc.php3</TT
> does not
result in opening a file under users home directory, but a file
called <TT
CLASS="filename"
>~user/doc.php3</TT
> under
doc_root (yes, a directory name starting with a tilde
[<TT
CLASS="literal"
>~</TT
>]).
</P
><P
> If user_dir is set to for example <TT
CLASS="filename"
>public_php</TT
>, a request like <TT
CLASS="filename"
>http://my.host/~user/doc.php3</TT
> will open a
file called <TT
CLASS="filename"
>doc.php3</TT
> under the directory
named <TT
CLASS="filename"
>public_php</TT
> under the home
directory of the user. If the home of the user is <TT
CLASS="filename"
>/home/user</TT
>, the file executed is
<TT
CLASS="filename"
>/home/user/public_php/doc.php3</TT
>.
</P
><P
> <TT
CLASS="parameter"
><I
>user_dir</I
></TT
> expansion happens regardless of
the <TT
CLASS="parameter"
><I
>doc_root</I
></TT
> setting, so you can control
the document root and user directory access
separately.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="security.cgi.shell"
>Case 4: PHP parser outside of web tree</A
></H2
><P
> A very secure option is to put the PHP parser binary somewhere
outside of the web tree of files. In <TT
CLASS="filename"
>/usr/local/bin</TT
>, for example. The only real
downside to this option is that you will now have to put a line
similar to:
<DIV
CLASS="informalexample"
><A
NAME="AEN2267"
></A
><P
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
> #!/usr/local/bin/php
</PRE
></TD
></TR
></TABLE
><P
></P
></DIV
>
as the first line of any file containing PHP tags. You will also
need to make the file executable. That is, treat it exactly as
you would treat any other CGI script written in Perl or sh or any
other common scripting language which uses the
<TT
CLASS="literal"
>#!</TT
> shell-escape mechanism for launching
itself.
</P
><P
> To get PHP to handle <TT
CLASS="envar"
>PATH_INFO</TT
> and
<TT
CLASS="envar"
>PATH_TRANSLATED</TT
> information correctly with this
setup, the php parser should be compiled with the <A
HREF="install.configure.html#install.configure.enable-discard-path"
>--enable-discard-path</A
>
configure option.
</P
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="configuration.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="manual.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="security.apache.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Configuration</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="getting-started.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Apache module</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
|
