User Tools

Site Tools

Trace: securing_php
securing_php

Securing PHP After Installation

After you have installed php you should go about securing php.
One major issue with php.ini file the following entry. Please note, if the line below is commented out AND =0 is NOT specified then the server will default to the value =1 

cgi.fix_pathinfo=1
You can find this entry in your php.ini with the following command: 
grep 'cgi.fix_pathinfo' /etc/php.ini
Explanation:
When the value of cgi.fix_pathinfo=1 then the PHP interpreter will process files with similar file names rather than exact names.
For example, if the script mysript.php cannot be found the PHP interpreter will try to find a similar file name such as myscript.jpg and try to execute this.
This is obviously a security risk.

Make sure you commend out cgi.fix_pathinfo=1
Example: 
;cgi.fix_pathinfo=1
And then add the following: 
;cgi.fix_pathinfo=0

Testing

The following command can be used to view the value of php-fpm cgi.fix_pathinfo 

php-fpm -i 2>&1 | grep 'pathinfo'

securing_php.txt · Last modified: 2024/05/23 07:26 by 127.0.0.1
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki