PHP-based web applications are still very popular and widely used in many organization. Once you have decided to install new application, the administrator must deploy new server or environment to be used. During this process basic (default) options are usually set, in order to achieve as soon as possible “OK, it works” state (which often not equals to it’s secure state).
Sometimes an administrator google for ‘php server tutorial’ and copy-paste provided commands. That’s security risk!
In this article we would like to present you iniscan tool - a php.ini scanner for best security practices. It’s designed to scan the given php.ini file for common security practices and report back results (console, html, xml, json). Let’s prepare test environment. It should not take much time thanks to docker and composer:
$ docker run –-rm -it php:5.6 bash # apt-get update && apt-get install -y zip git ## install composer prerequisites # curl --silent --show-error https://getcomposer.org/installer | php ## install composer # php composer.phar require psecio/iniscan ## install iniscan package
Let’s go for default php.ini of PHP 5.6:
In the report you will find two statuses: PASS and FAIL. In the beginning you will focus on all statues of failures. “Description” column contains hints on possible values, what is the risk to leave the current setting. E.g:
session.cookie_domain - It is recommended that you set the default domain for cookies. session.hash_function - Weak hashing algorithms in use. Rather use one of these: sha224... session.cookie_httponly - Setting session cookies to 'http only' makes them only readable...
Remember not to apply new settings at once, without checking what they are responsible for, especially on production servers. We advice to follow documentation (http://php.net/manual/en/ini.list.php for example)
Command line usage:
If the path is omitted, iniscan will try to find it based off the current configuration (
'php -i'). By default, this report will include both PASS and FAIL results of the checks. If you’d like to only return the failures, use the
# iniscan scan --path=<path/to/php.ini> --fail-only
Various formats can be used for output. By default
'scan' command will generate console output and will return exit code based on the results:
- 0: No errors
- 1: Failures found
For HTML output use
--output option to point output directory:
# iniscan scan --format=html --output=/var/www/output
The results will be written to a file named iniscan-output-date.html