PHP security

From Брацка Правка
Jump to: navigation, search

PHP configuration recommendations, for php.ini or set otherwise:

Disable register_globals. Many PHP security attacks are based on injection of global variable values, so making sure it's off can make many potential vulnerabilities toothless. If you require register_globals for another web application, consider enabling it selectively, only for the virtual host or subdirectory that requires it. MediaWiki should be safe even if this is on; turning this off is a precaution against the possibility of unknown vulnerabilities. Unless you require it specifically, disable allow_url_fopen. Remote PHP code execution vulnerabilities may depend on being able to inject a URL into a include() or require(). If you don't require the use of remote file loading, turning this off can prevent attacks of this kind on vulnerable code. MediaWiki may require this setting to be on for the Lucene search extension, the OAI harvester extension, the TitleBlacklist extension, and certain uses of Special:Import in 1.5. It should not however be required in a typical installation. MediaWiki should be safe even if this is on; turning this off is a precaution against the possibility of unknown vulnerability.

  • Set session.use_trans_sid off.

If this is on, session IDs may be added to URLs sometimes if cookies aren't doing their thing. That can leak login session data to third-party sites through referrer data or cut-and-paste of links. You should always turn this off if it's on.