[TUT] KWWH special ! : How to Harden PHP via php.ini

[Dom]

I beg to differ SalmanAbbas007

If someone uploads a shell to your website. clicks on phpinfo finds your kernel version the searchs for vulns , fines a permission vuln and gains admin access .. Then what ? all because you didnt block phpinfo.

[SalmanAbbas007]

Oh ok i get it but u should keep ur kernel updated if u are really concerned about security

[GoDeT]

ho..ho..ho..nice TUT

[Dom]

Thanks Buddy

[Krun!x]

Why would you disable those functions while some legit script might use some of them? If you are running that on a default cPanel setup, everyone can bypass the main php.ini because you forgot the most important step.

The truth is, it doesn't make you more secure. People can still execute exploits via CGI(although you disabled system, exec, shell_exec, passthru and loads of other PHP functions.

[Dom]

The user should disable CGI via cpanel anyway. If you dont like the tut dont comment. Simple as that.

[Krun!x]

The user should disable CGI via cpanel anyway. If you dont like the tut dont comment. Simple as that.

CGI can't be disabled from cPanel. Why are you writting "security" tutorials if you can't answer to my questions? I just wanted to know what's the point in disabling PHP functions and causing issues to clients when the attacker can bypass it in multiple ways you didn't mention - since you are a security expert you should know that, right?

[Dom]

Krun!x When DID I say I was a fucking security expert ? When ? , CGI Privileges can be limited by modifying the account via cpanel. All im trying to do is help people. Please stay out of this thread

[feronso]

Hello Domenic,

Thank you for very fine tutorial, and you are absolutely right. disabling useless php functions which your script not used is a great idea to safe from unwanted shells. no matter who upload that on server.

For those who argue about php disabling function can read This and This

EDIT: i found 3 time session.save_path

1) ; As of PHP 4.0.1, you can define the path as:
;
; session.save_path = "N;/path"

2); The file storage module creates files using mode 600 by default.
; You can change that by using
;
; session.save_path = "N;MODE;/path"


3) ; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
session.save_path = "/var/lib/php/session"


can i need to change the last one ? and remove the "/var/lib/php/session" to "/var/lib/php" as you said ?

thanks advanced


EDIT2:

When i replaced disable_functions with your mentioned above. after restarting apache my board will load without the forum skin. i use IP.Board 3.1.4 .

[Kratz]

All this tutorial does is give webmasters a false sense of security. There are far better ways of protecting your system.