Shared hosting environments for security critical applications

zipper johnJune 30, 201210min2371

When you write PHP applications and general guidelines for writing secure Web applications apply. The most important rule is to take care of all user input. Before this entry is used by the application must be carefully validated.

With the built-in PHP session, it is important to properly manage to prevent session fixation attacks. Moreover, the default method to store session data in the file system must be replaced by custom methods that store data in a database.

A problem that is not directly in the area of responsibility of the php developer of web applications is security in shared hosting scenarios. Usually, it is advisable to use PHP shared hosting environments for safety-critical applications.

Especially when the PHP interpreter runs as an Apache module, all scripts run with the techniques of the web server user. Therefore, all scripts have potential access to all virtual hosts with all the directories in the system. Thus, it is possible to access files on other hosting customers. Now we should know the PHP safe mode;

PHP safe mode is an attempt to solve this problem. However, approaches the problem with PHP, not the operating system. So the problem could be open, depending on what other languages are allowed in the housing system.

The following configuration directives can be used for configuring Safe Mode restrictions:

  1. safe_mode – Turns Safe Mode on and off.

  2. safe_mode_gid – By default Safe Mode limits access to those files that have the same owner as script file. This option relaxes this restriction to files that have the same group owner.

  3. safe_mode_include_dir – This option defines a list of directories. For in-clued files within these directories the owner and group owner restrictions do not apply.

  4. safe_mode_exec_dir – This option defines a list of directories. Functions like system () that call system function, can only execute files that reside in the defined directories.

  5. safe_mode_allowed_env_vars – This option defines a prefix for environment variables. PHP scripts can only set variables with this prefix.

  6. safe_mode_protected_env_vars – This option defines a list of environment variables PHP scripts are not allowed to change.

  7. open_basedir – This option defines a path prefix. If defined, PHP scripts can only access files with a path that begins with the defined prefix.

  8. disable_functions – This option defines a list of PHP functions that are disabled and cannot be executed by PHP scripts.

  9. disable_classes – This option defines a list of disabled PHP classes. These classes cannot be accessed by scripts.

Although based on a conceptual error safe mode it operates on the wrong layer, it can help reduce risk. This is true not only for shared hosting scenarios, as well as dedicated web servers that host a single application.

For example, by restricting access to files of a specific path and debilitating act as a system () can help limit damage when a hacker finds a way to inject code.

Recommendations:

            • Do not use PHP Safe Mode as an substitute for proper programming and input validation.

            • Only use it as an additional line of defense.

            • Consider the usage of Safe Mode even on dedicated web servers that host a single application.

The configuration options are most important to the PHP interpreter is Register Globals. This function must be turned off and the applications should never use this feature. Moreover, the error reporting functionality of the PHP interpreter must be configured correctly. Error messages should never be displayed to the user. They must be written in local newspapers. For all relevant information to the extent of reported error messages should be lowered.

Related Articles: Developer and programmers, Php Development Company, Php Development India, Php Developer India, Php Web Development Company, Php Web Development India

Related Links: Hire Php Web Developer, Php Web Development, Php Website Developer, Php Web Developer India, Hire Php Programmer India, Php Programmer