[ISN] Secure PHP Configuration

From: InfoSec News (alerts@private)
Date: Thu Mar 08 2007 - 01:08:26 PST

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Ontrack Data Recovery: Data loss prevention tips

Free White Paper: Address the Insider Threat

Podcast: The Inside Story on Forefront Client Security

=== CONTENTS ===================================================

IN FOCUS: Secure PHP Configuration

   - RFID Hacking Presentation Draws Legal Threats
   - 5 Vulnerabilities Kick Off Month of PHP Bugs
   - Recent Security Vulnerabilities

   - Security Matters Blog: Firefox Released--Finally!
   - FAQ: Enable Parental Controls in Vista
   - Share Your Security Tips
   - Microsoft Learning Paths for Security: Securing Your Messaging 

   - Assess Your Data Vulnerability
   - Wanted: Your Reviews of Products 




=== SPONSOR: Ontrack Data Recovery =============================

Ontrack Data Recovery: Data loss prevention tips

Snow storms, extreme heat, hurricanes... they all have the potential to 
interrupt your business and damage your data storage systems. While 
your business might never be directly impacted by a natural disaster, 
data loss can strike companies anytime and anywhere.

Be prepared by learning how to prevent data loss and what to do when 
data loss affects your business. 

Ontrack Data Recovery, the world leader in data recovery services and 
software, is pleased to offer a FREE e-newsletter that addresses data 
loss prevention and response. 

Recent topics discussed in Ontrack's Data Recovery News include: 
- Seven things to avoid when your drive crashes 
- Data recovery options for flash media
- Do-it-yourself data recovery software products

Sign up for the FREE Ontrack Data Recovery Newsletter today: 

=== IN FOCUS: Secure PHP Configuration =========================
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

A Month of PHP Bugs was launched March 1. If you missed last week's 
editorial about this initiative, you can read it on our Web site at the 
URL below. Be sure to also read the related news item "5 
Vulnerabilities Kick Off Month of PHP Bugs," which you can link to from 
the Security News and Features section below. 

So far, Stefan Esser has posted several interesting vulnerabilities on 
his Month of PHP Bugs site, some of which you can avoid by specific 
practices. If you use PHP on your server, then you need to examine its 
configuration to make sure you're not overly exposing aspects of the 
engine, which could in turn expose your entire system and possibly 
other parts of your network. 

If your Web system is closed (i.e., you don't allow others to upload or 
create any files), your potential security risks are more limited than 
if it's open. Either way, you need to take precautions to ensure that 
certain functions aren't usable unless you intend for them to be used.

One example is that PHP can allow the use of the exec and shell_exec 
functions, which essentially let you run OS commands and retrieve the 
output. I've used the shell-exec function to good advantage. I had an 
account with a Web hosting company, which had a server that would 
frequently slow to a crawl, making nearly all access impossible. I grew 
tired of the support staff's vague explanations and decided to 
investigate the problem myself. 

With the help of the shell_exec function (and a few others), I could 
use PHP to look at a lot of the server's operational characteristics. I 
discovered the bottleneck, contacted support, and alluded to the 
problem. I figure the support team members scratched their heads for a 
couple months wondering how I knew what was happening before they 
finally wised up and disabled the shell_exec function. 

In another example, I signed up for a blog at a popular site, which 
will remain unnamed here. I wanted specific blog functionality that 
wasn't available, so I went to work on a way around the limitations. I 
discovered that this site too allowed dangerous functions to operate. 
With a little work, I could navigate nearly the entire server disk 
subsystem at will, read configuration files, discover path information, 
and then manipulate my blog to gain the functionality I wanted by using 
the information I had gathered to enable my custom scripts to run. 
Eventually, the site staff figured out what was happening and disabled 
many dangerous functions. 

In addition to exec and shell-exec, some dangerous PHP functions are 
suexec, passthru, proc_open, proc_close, proc_get-status, proc_nice, 
proc_terminate, system, popen, pclose, dl, ini_set, virtual, 
set_time_limit, apache_child_terminate, posix_kill, posix_mkfifo, 
posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, and 
escapeshellarg. Go to this URL for other potentially dangerous 

You can disable functions by adding (or editing) a line in your php.ini 
file like this:
   disable_functions = "shell_exec, suexec, passthru"

More help for configuring PHP can be found at these URLs: 
   Ayman Hourieh's Blog
   WEB-DOT-DEV--PHP Configuration
   PHP Manual 
   PHP Security Consortium's PhpSecInfo

Finally, a good resource with lots of other links (including books) is 
available at the PHP Security Consortium's Web site: 

=== SPONSOR: NetIQ =============================================

Free White Paper: Address the Insider Threat 
   Learn how to develop a comprehensive management system that 
virtually eliminates the risk of an insider threat. Co-authored by 
NetIQ and Dr. Eric Cole, this informative white paper identifies the 
key business processes that must be secured and ready to build a 
solution to contain the insider threat

=== SECURITY NEWS AND FEATURES =================================

RFID Hacking Presentation Draws Legal Threats
   IOActive, a consulting firm that specializes in information risk 
management and application security analysis, was slated to give a 
presentation on RFID hacking at the Black Hat DC Briefings last week; 
however the presentation was withdrawn due to controversy. 

5 Vulnerabilities Kick Off Month of PHP Bugs
   Of the first five vulnerabilities posted by Stefan Esser, two could 
cause a system crash, one could cause maximum CPU usage thereby 
creating a Denial of Service (DoS) condition, and two can be exploited 
to cause data overflow conditions.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Core Security =====================================

Podcast: The Inside Story on Forefront Client Security
   Are all of your malware definitions completely up to date? If they 
are, then you are halfway home to total malware protection. Windows 
Vista may be the most secure Microsoft OS ever released, but malware is 
constantly evolving, and sometimes out-of-the-box security just isn't 
enough. In this exclusive podcast, Windows IT Pro Research and Strategy 
Director Karen Forster interviews Microsoft Product Manager Josue 
Fontanez about Microsoft's unified malware protection package: 
Forefront Client Security.

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Firefox Released--Finally!
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4CFC0:57B62BBB09A69279E815B5C43101D5A9

Mozilla Foundation released Firefox, fixing many security bugs 
along with other annoying problems.

FAQ: Enable Parental Controls in Vista
   by John Savill, http://list.windowsitpro.com/t?ctl=4CFBE:57B62BBB09A69279E815B5C43101D5A9 

Q: How do I enable the Windows Vista Parental Controls feature on a 
domain-joined machine?

Find the answer at

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

   These resources provide guidance on securing your messaging 
infrastructure, including best practices for message hygiene 
technologies and configuration strategies. You'll also get an in-depth 
look at the Microsoft Forefront line of business security products, 
which help protect application servers such as Microsoft Exchange 
Server 2007, Microsoft Office SharePoint Server 2007, and Microsoft 
Office Communications Server 2007.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Assess Your Data Vulnerability
   Scentric announced the availability of the Data Privacy Assessment 
Tool, which you can download and use for 30 days if you register on the 
Scentric Web site. The tool classifies files on laptops, desktops, and 
file servers, discovering data from several preset categories, 
including confidential, copyright, credit cards, Social Security 
numbers, payroll, and health. After you determine your level of 
vulnerability, you can use Scentric Destiny Enterprise Suite for Data 
Privacy to enforce policies. The Destiny Enterprise Suite includes a 
classification engine, support for major file types including Microsoft 
Exchange email, and prebuilt rule sets that provide automated 
operations and a foundation for protecting sensitive information. For 
more information, go to

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Every business faces risk. Have you properly assessed your company's 
risk and put a focus on business continuity? Attend this free, on-
demand Web seminar to learn how you can ensure seamless recovery of 
your key systems and keep your users continuously connected. 

Because a secure email and messaging infrastructure is fundamental to 
your business, every organization needs to plan from the start for 
three fundamental email and messaging management services: security, 
availability, and control services. This eBook explains how to 
implement those services in a Microsoft-centric email and messaging 
environment. Download now! 

Windows + UNIX/Linux = You Need TechX World! 
   If you work in an environment that includes Windows plus UNIX or 
Linux, TechX World is the place to go for practical strategies and 
resources to add to your toolkit. This one-day technical training event 
will teach you how to make the most of open-source tools on Windows and 
how to manage and sync multiple directories. Register today! 

=== FEATURED WHITE PAPER =======================================

Do you want to block unwanted or undesirable email? Download this free 
white paper to learn how to manage the content of messages traveling 
your network.    

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting April nominations now, but only for a limited 
time! Submit your nomination today: 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=4CFC5:57B62BBB09A69279E815B5C43101D5A9
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 08 2007 - 01:17:49 PST