We are learning1. A string delimited by quotation marks (such as: "foo")
2. A number (integer or floating point number, such as: 0, 1, 34 , -1, 33.55)
3. A PHP constant (such as: E_ALL, M_PI)
4. An INI constant (On, Off, none)
5. An expression (such as: E_ALL & ~ E_NOTICE)
There is another one that sets a Boolean value. 1 is On, which means it is turned on, and 0, which is Off, it is turned off. php.ini is divided into many parts, such as: module part, PHP global configuration, database configuration, etc. After understanding the basic concepts, we can start the journey of abnormal configuration.
The first important parameter is register_globals. This configuration affects how PHP receives the passed parameters. To put it bluntly, register_globals means registering as a global variable, so when the parameter has the value On, it is passed The value will be directly registered as a global variable for direct use, and when the parameter value is Off, we need to get it from a specific array. Judging from the many PHP vulnerabilities at www.milw0rm.com, most of them are exploited when Register_Globals is On, so it is strongly recommended to change this parameter to Off. In the current highest version of PHP, this parameter is Off by default. , nothing more to say. If the version you are using is older, you must modify it here.
The second important parameter is magic_quotes_gpc. If you set magic_quotes_gpc to Off, then PHP will not escape the four characters ' (single quote), " (double quote), (backslash) and the null character, which will cause the server to It may be illegally injected. But if you set Magic_quotes_gpc to On, PHP will add backslashes to the variables submitted by $_POST, $_GET, and $_COOKIE if there are the above four characters. This way. It will greatly improve the security of PHP. It is highly recommended to set Magic_quotes_gpc to On.
The third and more important parameter is display_errors. Why is this parameter important? Because there are no developers who will not make mistakes. The display_errors parameter of PHP. It is to help developers locate and identify these errors. However, it would not be good if the information provided by PHP is known by hackers. For example, if the display_errors is not set, the web directory will be leaked. This is very important information for hackers, because many times penetration requires knowing the web directory, such as webshell writing, etc. Therefore, we strongly recommend that you set this parameter to Off.
The fourth important thing. The parameter is safe_mode, which is what we often call safe mode. PHP's safe mode is a very important built-in security mechanism. It can control some functions in PHP, such as system() and other functions, and also controls many file operation functions. Permission control also does not allow access to certain key files, such as /etc/passwd, but the default php.ini does not turn on safe mode. We turn it on safe_mode = on. open_basedir, using the open_basedir option can control the PHP script to only access the specified directory. This can prevent the PHP script from accessing files that should not be accessed, and limits the harm of the webshell to a certain extent. We can generally set it to only access the website directory (assuming the website The directory is E:test): open_basedir = E:test The sixth parameter is disable_functions. Use disable_functions to limit some functions that are a great threat to the system.
For example, we saw PHPinfo( in the first part. ) function web page, you can see PHP environment variables, etc. You can also use system, exec and other functions to execute system commands, etc. Here we recommend the following filtering functions: PHPinfo, passthru, exec, system, chroot. , scandir, chgrp, chown, shell_exec, proc_open,
proc_get_status, ini_alter, ini_alter, ini_restore, dl, pfsockopen, openlog, syslog, readlink, symlink,
popepassthru, stream_socket_server. If you don’t understand a certain function, you can search Google to find out what the function does, and then decide whether to ban it on your own server.
The seventh parameter is the Com component. There is a security vulnerability in the PHP scripting platform under the Windows platform, which allows attackers to use the COM() function to create system components to execute arbitrary commands even if the PHP setting is in safe mode (safe_mode). The reason for the vulnerability is that although the system(); pathru() functions are prohibited on the PHP platform in safe mode, the setting of com.allow_dcom is still true. So that an attacker can use the COM() function to create system component objects to run system commands.
If the default Apache settings are used or the web server is running with Localsystem permissions or Administrators permissions, an attacker can use this vulnerability to escalate privileges. So we must turn off the com.allow_dcom parameter, which is True by default. We need to change this parameter to com.allow_dcom=false. The eighth parameter is expose_PHP. This parameter determines whether exposed PHP is installed on the server. If this parameter is set to On, the PHP version, etc. will be leaked. Our recommended value is Off.
We have just introduced the basic parameters. Of course, php.ini still needs to be configured. Most of the settings have nothing to do with security. A large part of them are related to the effect of PHP operation (such as optimization). If you have If you are interested, you can refer to the official manual of PHP to learn more about it. Note: After modifying php.ini, you must restart IIS, otherwise the content you set will not take effect immediately.