Dallas Cahker wrote:
I was looking to see if there was a quick checklist of settings
for php to be disabled/enabled in the ini file to make the
application more secure.
Although there are some directives worth disabling (register_globals,
magic_quotes_gpc, allow_url_fopen), most vulnerabilities in PHP
applications are a result of flaws in the PHP code. There are no magic
php.ini configuration directives that can make your applications secure
- not that you were suggesting this, but it's woth explicitly stating.
A couple of years ago, I tried to summarize several good practices into
a single mantra - filter input, escape output (FIEO). These practices
don't eliminate everything, but they're a very good first step and can
provide a solid foundation for secure PHP programming.
I made a movie (webcast, screencast, or whatever you call them) about
auditing PHP applications, and it also covers filtering input and
escaping output:
http://brainbulb.com/php-security-audit-howto.mov
There's also the PHP Security Guide:
http://phpsec.org/projects/guide/
We're in the process of writing a second version of the guide, in order
to address the following shortcomings:
1. The guide is several years old, so some techniques have been refined
and/or simplified in the meantime.
2. The vocabulary is slightly inconsistent with the rest of the industry
in some cases.
3. Not all major areas are covered, so it is incomplete.
4. Some explanations are ambiguous and can yield misinterpretations.
Lastly, I want to point out two of the primary attacks that are not
prevented with FIEO:
1. Cross-Site Request Forgeries (CSRF)
2. Session Fixation
Hope that helps get you started.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
