Matteo Mattei

Hello, my name is Matteo Mattei and this is my personal website. I am computer engineer with a long experience in Linux system administration and web software development.

linkedin rss twitter google+ github facebook

Secure PHP installation disabling dangerous functions

Attacks through PHP vulnerabilities are very common and every sysadmin should protect and enforce as much as possible the server infrastructure and PHP configuration to prevent as much as possible these types of attack. Today I show you how to tune PHP configuration to disable some dangerous functions and report as less information as possible to outside.

All changes we are going to do are located in php.ini:

expose_php = Off          # we don't want to let the clients know we are using PHP
display_errors = Off      # in case of error we don't want to show it
register_argc_argv = Off  # for better performance
allow_url_fopen = Off     # no external URL access
allow_url_include = Off   # no external URL access
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source # potential dangerous functions to disable

After that, restart the web server and create a phpinfo() page to make sure the new values have been correctly set.

comments powered by Disqus