Security UPDATE--Secure PHP Configuration--March 7, 2007
If you use PHP on your server, then you need to examine its configuration to make sure you're not overly exposing aspects of the engine. Get some PHP configuration advice and links to other security news and resources.
March 6, 2007
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
Ontrack Data Recovery: Data loss prevention tips
http://www.ontrack.com/special/0606drnewsoffer.aspx
Free White Paper: Address the Insider Threat
http://findtechinfo.com/penton/nl/250
Podcast: The Inside Story on Forefront Client Security
http://www.windowsitpro.com/go/podcast/coresecurity/forefrontclient/?code=SECHot
CONTENTS
===========================================
IN FOCUS: Secure PHP Configuration NEWS AND FEATURES - RFID Hacking Presentation Draws Legal Threats - 5 Vulnerabilities Kick Off Month of PHP Bugs - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Firefox 2.0.0.2 Released--Finally! - FAQ: Enable Parental Controls in Vista - Share Your Security Tips - Microsoft Learning Paths for Security: Securing Your Messaging Infrastructure PRODUCTS - Assess Your Data Vulnerability - Wanted: Your Reviews of Products RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: Ontrack Data Recovery
===================
Ontrack Data Recovery: Data loss prevention tips Snow storms, extreme heat, hurricanes... they all have the potential to interrupt your business and damage your data storage systems. While your business might never be directly impacted by a natural disaster, data loss can strike companies anytime and anywhere. Be prepared by learning how to prevent data loss and what to do when data loss affects your business. Ontrack Data Recovery, the world leader in data recovery services and software, is pleased to offer a FREE e-newsletter that addresses data loss prevention and response. Recent topics discussed in Ontrack's Data Recovery News include: - Seven things to avoid when your drive crashes - Data recovery options for flash media - Do-it-yourself data recovery software products Sign up for the FREE Ontrack Data Recovery Newsletter today: http://www.ontrack.com/special/0606drnewsoffer.aspx === IN FOCUS: Secure PHP Configuration
===============
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net A Month of PHP Bugs was launched March 1. If you missed last week's editorial about this initiative, you can read it on our Web site at the URL below. Be sure to also read the related news item "5 Vulnerabilities Kick Off Month of PHP Bugs," which you can link to from the Security News and Features section below. http://www.windowsitpro.com/Article/ArticleID/95328 So far, Stefan Esser has posted several interesting vulnerabilities on his Month of PHP Bugs site, some of which you can avoid by specific practices. If you use PHP on your server, then you need to examine its configuration to make sure you're not overly exposing aspects of the engine, which could in turn expose your entire system and possibly other parts of your network. If your Web system is closed (i.e., you don't allow others to upload or create any files), your potential security risks are more limited than if it's open. Either way, you need to take precautions to ensure that certain functions aren't usable unless you intend for them to be used. One example is that PHP can allow the use of the exec and shell_exec functions, which essentially let you run OS commands and retrieve the output. I've used the shell-exec function to good advantage. I had an account with a Web hosting company, which had a server that would frequently slow to a crawl, making nearly all access impossible. I grew tired of the support staff's vague explanations and decided to investigate the problem myself. With the help of the shell_exec function (and a few others), I could use PHP to look at a lot of the server's operational characteristics. I discovered the bottleneck, contacted support, and alluded to the problem. I figure the support team members scratched their heads for a couple months wondering how I knew what was happening before they finally wised up and disabled the shell_exec function. In another example, I signed up for a blog at a popular site, which will remain unnamed here. I wanted specific blog functionality that wasn't available, so I went to work on a way around the limitations. I discovered that this site too allowed dangerous functions to operate. With a little work, I could navigate nearly the entire server disk subsystem at will, read configuration files, discover path information, and then manipulate my blog to gain the functionality I wanted by using the information I had gathered to enable my custom scripts to run. Eventually, the site staff figured out what was happening and disabled many dangerous functions. In addition to exec and shell-exec, some dangerous PHP functions are suexec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, system, popen, pclose, dl, ini_set, virtual, set_time_limit, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, and escapeshellarg. Go to this URL for other potentially dangerous functions: http://www.phpbuilder.com/manual/features.safe-mode.functions.php You can disable functions by adding (or editing) a line in your php.ini file like this: disable_functions = "shell_exec, suexec, passthru" More help for configuring PHP can be found at these URLs: Ayman Hourieh's Blog http://aymanh.com/checklist-for-securing-php-configuration WEB-DOT-DEV--PHP Configuration http://www.webdotdev.com/nvd/server-side/php/php-configuration.html PHP Manual http://us2.php.net/manual/en/security.php PHP Security Consortium's PhpSecInfo http://phpsec.org/projects/phpsecinfo/ Finally, a good resource with lots of other links (including books) is available at the PHP Security Consortium's Web site: http://phpsec.org/library/ === SPONSOR: NetIQ
===================================
Free White Paper: Address the Insider Threat Learn how to develop a comprehensive management system that virtually eliminates the risk of an insider threat. Co-authored by NetIQ and Dr. Eric Cole, this informative white paper identifies the key business processes that must be secured and ready to build a solution to contain the insider threat http://findtechinfo.com/penton/nl/250 === SECURITY NEWS AND FEATURES
=======================
RFID Hacking Presentation Draws Legal Threats IOActive, a consulting firm that specializes in information risk management and application security analysis, was slated to give a presentation on RFID hacking at the Black Hat DC Briefings last week; however the presentation was withdrawn due to controversy. http://www.windowsitpro.com/Article/ArticleID/95327 5 Vulnerabilities Kick Off Month of PHP Bugs Of the first five vulnerabilities posted by Stefan Esser, two could cause a system crash, one could cause maximum CPU usage thereby creating a Denial of Service (DoS) condition, and two can be exploited to cause data overflow conditions. http://www.windowsitpro.com/Article/ArticleID/95348 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html === SPONSOR: Core Security
===========================
Podcast: The Inside Story on Forefront Client Security Are all of your malware definitions completely up to date? If they are, then you are halfway home to total malware protection. Windows Vista may be the most secure Microsoft OS ever released, but malware is constantly evolving, and sometimes out-of-the-box security just isn't enough. In this exclusive podcast, Windows IT Pro Research and Strategy Director Karen Forster interviews Microsoft Product Manager Josue Fontanez about Microsoft's unified malware protection package: Forefront Client Security. http://www.windowsitpro.com/go/podcast/coresecurity/forefrontclient/?code=SECHot === GIVE AND TAKE
====================================
SECURITY MATTERS BLOG: Firefox 2.0.0.2 Released--Finally! by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Mozilla Foundation released Firefox 2.0.0.2, fixing many security bugs along with other annoying problems. http://www.windowsitpro.com/Article/ArticleID/95323 FAQ: Enable Parental Controls in Vista by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: How do I enable the Windows Vista Parental Controls feature on a domain-joined machine? Find the answer at http://www.windowsitpro.com/Article/ArticleID/95255 SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. MICROSOFT LEARNING PATHS FOR SECURITY: Securing Your Messaging Infrastructure These resources provide guidance on securing your messaging infrastructure, including best practices for message hygiene technologies and configuration strategies. You'll also get an in-depth look at the Microsoft Forefront line of business security products, which help protect application servers such as Microsoft Exchange Server 2007, Microsoft Office SharePoint Server 2007, and Microsoft Office Communications Server 2007. http://www.microsoft.com/technet/security/learning === PRODUCTS
=========================================
by Renee Munshi, [email protected] Assess Your Data Vulnerability Scentric announced the availability of the Data Privacy Assessment Tool, which you can download and use for 30 days if you register on the Scentric Web site. The tool classifies files on laptops, desktops, and file servers, discovering data from several preset categories, including confidential, copyright, credit cards, Social Security numbers, payroll, and health. After you determine your level of vulnerability, you can use Scentric Destiny Enterprise Suite for Data Privacy to enforce policies. The Destiny Enterprise Suite includes a classification engine, support for major file types including Microsoft Exchange email, and prebuilt rule sets that provide automated operations and a foundation for protecting sensitive information. For more information, go to http://www.scentric.com WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate. === RESOURCES AND EVENTS
=============================
For more security-related resources, visit http://www.windowsitpro.com/go/securityresources Every business faces risk. Have you properly assessed your company's risk and put a focus on business continuity? Attend this free, on-demand Web seminar to learn how you can ensure seamless recovery of your key systems and keep your users continuously connected. http://www.windowsitpro.com/go/seminars/neverfail/managingrisk/?partnerref=0305e&r Because a secure email and messaging infrastructure is fundamental to your business, every organization needs to plan from the start for three fundamental email and messaging management services: security, availability, and control services. This eBook explains how to implement those services in a Microsoft-centric email and messaging environment. Download now! http://www.windowsitpro.com/go/ebook/symantec/messagingmanagement/?code=0305e&r Windows + UNIX/Linux = You Need TechX World! If you work in an environment that includes Windows plus UNIX or Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today! http://www.techxworld.com/registration/?code=epromo === FEATURED WHITE PAPER
=============================
Do you want to block unwanted or undesirable email? Download this free white paper to learn how to manage the content of messages traveling your network. http://www.windowsitpro.com/go/whitepapers/stbernard/cleanup/?code=0305featwp === ANNOUNCEMENTS
====================================
Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! https://store.pentontech.com/index.cfm?s=1&promocode=eu2572us Grab Your Share of the Spotlight! Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting April nominations now, but only for a limited time! Submit your nomination today: http://www.windowsitpro.com/go/itpromonth
===========================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).
http://www.windowsitpro.com/windowssecurity
http://www.securityprovip.com
Subscribe to Security UPDATE at
http://www.windowsitpro.com/Email/Index.cfm?action=archive
Unsubscribe by clicking
http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%
Be sure to add [email protected] to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- [email protected]
About technical questions -- http://www.windowsitpro.com/forums
About your product news -- [email protected]
About your subscription -- [email protected]
About sponsoring Security UPDATE -- [email protected]
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
About the Author
You May Also Like