Security Hints for installing ConfTool and other PHP/mysql applications
MySql Database Security
=======================
- I usually recommend to block any access to the mysql database server
from other hosts. The easiest way to do this is to add the parameter
skip-networking
to your mysql configuration file "my.cnf" (usually in /etc/ or C:/Windows/)
- Many distributions install a root mysql user without any password!
So make sure to set a password for the root user after a new server
installation.
From the command line call
mysql mysql -u root
In the mysql client you have to enter two commands:
UPDATE user SET Password=PASSWORD('myNewPassword') WHERE user='root';
flush privileges;
The second command reads the new password into the mysql server.
Alternatively you can also use the "mysqladmin tool"
mysqladmin -u root password
You will be prompted for the password
If you get
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
a password for the user root is already set. :-)
Apache Server Security
======================
I always recommend to block the access to all backup files. If they are
for instance php files, they are usually not executed and may reveal
parameters like the password for your mysql database.
To block the access to backup files with the extensions "bak", "BAK" and "~"
use the following lines in your httpd.conf file:
order deny,allow
deny from all
So an example would be:
# For Conftool you need none of the options directive, if you do not
# use the .htaccess file, but make the conftool settings in php.ini
Options None
# Controls who can get stuff from this server.
Order deny,allow
Allow from all
# Prevent access to backup files!
order deny,allow
deny from all
PHP Security Settings
=====================
DISABLE_FUNCTIONS
-----------------
Some PHP functions make your system vulnerable, as they can be used to
access the system or system files. These are:
show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
However, Conftool uses two of these functions:
- "exec" is used for some credit card gateways and on windows systems to
check if the domain name of an email address exists
- "popen" is used in the "phpmailer" library to send emails.
Therefore if you use one of the above, you should only disable the following
functions in the file "php.ini":
disable_functions = show_source, system, shell_exec, passthru, phpinfo, proc_open
REGISTER_GLOBALS
----------------
register_globals = Off
should always be set, otherwise all http variables are available as global variables in
your php application. This is a potential security problem for any php application.
ALLOW_URL_FOPEN
---------------
allow_url_fopen = Off
This should be set for most servers. It prevents that scripts can include external
php programs.
DISPLAY_ERRORS
--------------
display_errors = Off
will turn of output of php error messages in the browser.
Should always be set to "off" in a productive environment. If you still
want to access error messages, set
log_errors = On
to log all error messages in the server's error log file.
OPEN_BASEDIR
------------
Syntax: open_basedir = /path/to/conftool
This limits the execution of php files on your Web server. Files outside the
given paths are not executed. I think it is always recommended to use it.
Example for Windows:
open_basedir = "D:/www/conftool/;C:/Programme/Apache Group/Apache/htdocs/"
Unix example:
open_basedir = "/home/conftool/:/srv/www/"
SAFE_MODE
---------
safe_mode = On/Off
This restricts the access of php scripts on your web server. It is currently
NOT recommended to use it with ConfTool as e.g. timeouts cannot be set and the
access to file uploads is limited. ConfTool does somehow work with this setting,
but there are many potential problems (e.g. with bulk mails).