PHP环境安全性能检查

PHP在Linux环境下安全配置是一个复杂的过程,其中涉及到很多的细节设置,在这里发出来一个脚本,通过这个脚本来检测你的PHP环境是否存在安全隐患,从而针对这些对你的PHP环境进行加固。
功能:

  • 1.检测PHP环境安全配置
  • 2.应禁用的功能。
  • 3.危险的设置,可能会导致本地或远程文件包含。
  • 4.错误处理。
  • 5.在编译时定义的常量。

    • 安装PHP环境后,将此三个文件脚本放在网站web目录下(audit.php php.xml style.css )进行浏览器查看,他将在你配置的基础中通过XML文件中匹配规则检测出可能存在的配置错误,存在问题的选项它会用红色突出的颜色显示。当然还有一些东西可以根据你的要求更改。
    效果如下:

    audit.php

    1. <?php
    2. /**
    3.  * PHP Security Auditor
    4.  */
    5. class Audit {
    6.  
    7. static private $rules;
    8. static private $constants;
    9. static private $phpVer;
    10.  
    11. static public $report;
    12.  
    13. /**
    14. * Converts settings such as 1M 1G 1K to their byte equivilent values
    15. *
    16. * @param string $n
    17. * @return string
    18. */
    19. static private function convertToBytes($n) {
    20.  
    21. // If n is -1 then there is no limit
    22.      if ($n == -1)
    23.      return PHP_INT_MAX;
    24.  
    25.      switch (substr($n, -1)) {
    26.                     case "B": return substr($n,0,-1);
    27.       case "K": return substr($n,0,-1) * 1024;
    28.                     case "M": return substr($n,0,-1) * 1024 * 1024;
    29.                     case "G": return substr($n,0,-1) * 1024 * 1024 * 1024;
    30.             }
    31.             return $n;
    32.      }
    33.  
    34. static private function MakeReport($type, $title) {
    35.  
    36. ksort(self::$report[$type]);
    37.  
    38.      $html = '<h1>' . $title . '</h1><table><tr><th>Setting</th><th>Current</th><th>Recomended</th><th>Description</th></tr>';
    39.     foreach(self::$report[$type] as $key => $values)
    40.     {
    41.     if ($values['p'] == 1) $class="r";
    42.     else $class="v";
    43.  
    44. $html .= '<tr><td>' . htmlentities($key) . '</td>' .
    45. '<td class="'. $class .'">' . htmlentities($values['c']) . '</td>' .
    46. '<td class="'. $class .'">' . htmlentities($values['r']) . '</td>' .
    47. '<td class="'. $class .'">' . htmlentities($values['d']) . '</td></tr>';
    48.     }
    49.     $html .= '</table>';
    50.  
    51. return $html;
    52. }
    53.  
    54.  
    55.     static public function HTMLReport()
    56.      {
    57.      $class = "";
    58.  
    59.      $html = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">' .
    60. '<html><head>' .
    61.      '<link/>' .
    62.      '</head><body>';
    63.  
    64.      $html .= self::MakeReport("ini", "PHP INI");
    65.      $html .= self::MakeReport("disabled", "PHP Disabled Functions");
    66.      $html .= self::MakeReport("const", "PHP CONST");
    67.  
    68.     $html .= '</html>';
    69.  
    70.     echo($html . "\n");
    71. }
    72.  
    73.    /**
    74.    * Adds an item to the reporting array.
    75.    *
    76.    * @param string $type - the type (ini or const)
    77.    * @param string $key - the name of the variable
    78.    * @param string $currentValue - the current ini or const value
    79.    * @param string $recomended - the recomended value
    80.    * @param string $desc - a description of the issue
    81.    * @param boolean $problem - true if not complaint, false if compliant
    82.    */
    83. static private function Report($type, $key, $currentValue, $recomended, $desc, $problem)
    84. {
    85. if (isset(self::$report[$type][$key]))
    86. if ((self::$report[$type][$key]['r'] < $recomended)
    87. && (self::$report[$type][$key['p']] == 1))
    88. return;
    89.  
    90. self::$report[$type][$key] = array(
    91. "c" => $currentValue,
    92. "r" => $recomended,
    93. "d" => $desc,
    94. "p" => $problem
    95. );
    96. }
    97.  
    98. /**
    99. * Loads the rules from an XML file
    100. *
    101. * @param string $file
    102. */
    103. static public function LoadRules($file = "php.xml")
    104. {
    105.  
    106. if (!defined('PHP_VERSION_ID'))
    107. {
    108. $version = explode(".", PHP_VERSION);
    109. self::$phpVer =  ($version[0] * 10000 + $version[1] * 100 + $version[2]);
    110. } else
    111. self::$phpVer = PHP_VERSION_ID;
    112.  
    113. self::$constants = get_defined_constants();
    114. self::$rules = simplexml_load_file($file);
    115. }
    116.  
    117. /**
    118. * Processes the XML ruleset against const and ini values found in PHP
    119. *
    120. */
    121. static public function ProcessXML() {
    122.  
    123. foreach(self::$rules as $null => $entry) {
    124. $ruleID = $entry->attributes()->id;
    125.  
    126. // Check the version of PHP the rule applies to
    127.  
    128. $version = (string)$entry->version;
    129.  
    130. if ($version != "") {
    131.  
    132. $op = (string)$entry->version->attributes()->op;
    133.  
    134. switch ($op) {
    135. case 'before':
    136. if ($version < self::$phpVer)
    137. continue 2;
    138. break;
    139. }
    140. }
    141.  
    142. // Evaluate the rule as we are sure it applys to the version of PHP running
    143.  
    144. switch((string)$entry->type)
    145. {
    146. // Look at CONST values in PHP
    147. case "const":
    148.  
    149. $key = (string)$entry->key; // e.g LIBXML_NOENT
    150. $cValue = self::$constants[$key]; // The current value
    151. $rValue = (string)$entry->value; // The recomended value
    152. $desc = (string)$entry->description; // Description
    153.  
    154. switch((string)$entry->value->attributes()->op)
    155. {
    156. case "eq":
    157. self::Report("const", $key, $cValue, $rValue, $desc, ($cValue == $rValue) ? 0 : 1);
    158. break;
    159. }
    160.  
    161. break;
    162.  
    163. // Check the list of functions that should be restricted
    164.  
    165. case "disable_functions":
    166.  
    167. $disabled = ini_get("disable_functions");
    168. $list = explode(",", $disabled);
    169.  
    170. $xmlList = (array)($entry->list);
    171. $xmlList = $xmlList['function'];
    172.  
    173. foreach($xmlList as $null => $function) {
    174. $de = array_search($function, $list);
    175. self::Report("disabled", $function, (($de == 0) ? "enabled" : "disabled"), "disabled", "", (($de == 0) ? 1 : 0));
    176. }
    177.  
    178. break;
    179.  
    180. // Look at values defined within the INI files
    181.  
    182. case "ini":
    183.  
    184. $key = (string)$entry->key; // e.g. display_errors
    185. $cValue = trim(self::convertToBytes(ini_get($key))); // Current value
    186. $rValue = (string)$entry->value; // Recomended value
    187. $desc = (string)$entry->description; // Description
    188.  
    189. if (is_numeric($rValue) && $cValue == "") $cValue = "0";
    190.  
    191. // Deals with where one value should be compared to another
    192.  
    193. if ((string)$entry->value->attributes()->type == "key")
    194. $rValue = self::convertToBytes(ini_get((string)$entry->value));
    195.  
    196. switch((string)$entry->value->attributes()->op)
    197. {
    198. // Equal to
    199. case "eq":
    200. self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue == $rValue) ? 0 : 1);
    201. break;
    202.  
    203. // Less than or equal to
    204. case "lt":
    205. self::Report("ini", $key, $cValue, "< $rValue", $desc, ($cValue <= $rValue) ? 0 : 1);
    206. break;
    207.  
    208. // Greater than or equal to
    209. case "gt":
    210. self::Report("ini", $key, $cValue, "> $rValue", $desc, ($cValue >= $rValue) ? 0 : 1);
    211. break;
    212.  
    213. // Not equal to
    214. case "ne":
    215. $neValue  = (string)$entry->value->attributes()->net;
    216. $notBlank = (string)$entry->value->attributes()->notblank;
    217.  
    218.  
    219. if ($notBlank == "true") {
    220. self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue != "") ? 0 : 1);
    221. break;
    222. }
    223.  
    224. self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue != $neValue) ? 0 : 1);
    225. break;
    226.  
    227. }
    228.  
    229. break;
    230. }
    231.  
    232. }
    233.  
    234. }
    235.  
    236.  
    237. }
    238.  
    239. Audit::LoadRules();
    240. Audit::ProcessXML();
    241. Audit::HTMLReport();

    php.xml代码如下:

    1. <?xml?>
    2. <rules>
    3. <entry>
    4. <type>ini</type>
    5. <key>upload_max_filesize</key>
    6. <value>4194304</value>
    7. <description>Sets the maximum size of an uploaded file. Reduce this to mitigate the risk of DOS attacks.</description>
    8. </entry>
    9. <entry>
    10. <type>ini</type>
    11. <key>upload_max_filesize</key>
    12. <value>memory_limit</value>
    13. <description>The maximum size of an uploaded file should be able to fit within the avaliable memory limit.</description>
    14. </entry>
    15. <entry>
    16. <type>ini</type>
    17. <key>post_max_size</key>
    18. <value>memory_limit</value>
    19. <description>The maximum post size of data posted to the server should be within the avaliable memory limit.</description>
    20. </entry>
    21. <entry>
    22. <type>ini</type>
    23. <key>always_populate_raw_post_data</key>
    24. <value>0</value>
    25. <description>This does not need to be used. The preferred method for accessing the raw POST data is php://input.</description>
    26. </entry>
    27. <entry>
    28. <type>ini</type>
    29. <key>magic_quotes_gpc</key>
    30. <value>0</value>
    31. <description>Sets magic_quotes state for GPC (GET PUT COOKIE) data.  Relying on this feature is highly discouraged.</description>
    32. <version>50300</version>
    33. <url>http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc</url>
    34. </entry>
    35. <entry>
    36. <type>ini</type>
    37. <key>magic_quotes_runtime</key>
    38. <value>0</value>
    39. <description>Sets magic_quotes state for data from external sources.  Relying on this feature is highly discouraged.</description>
    40. <version>50300</version>
    41. <url>http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime</url>
    42. </entry>
    43. <entry>
    44. <type>ini</type>
    45. <key>safe_mode</key>
    46. <value>0</value>
    47. <description>This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.</description>
    48. <version>50300</version>
    49. </entry>
    50. <entry>
    51. <type>ini</type>
    52. <key>memory_limit</key>
    53. <value>16777216</value>
    54. <description>The maximum memory limit for each script should be 16M or less.</description>
    55. </entry>
    56. <entry>
    57. <type>ini</type>
    58. <key>upload_max_filesize</key>
    59. <value>post_max_size</value>
    60. <description>The maximum upload file size should be less than or equal to the maximum post size.</description>
    61. </entry>
    62. <entry>
    63. <type>ini</type>
    64. <key>max_file_uploads</key>
    65. <value>10</value>
    66. <description>The maximum mumber of files that can be uploaded in 1 go.</description>
    67. </entry>
    68. <entry>
    69. <type>ini</type>
    70. <key>file_uploads</key>
    71. <value>0</value>
    72. <description>This may be impractical but if not needed file uploading should be disabled.</description>
    73. </entry>
    74. <entry>
    75. <type>ini</type>
    76. <key>post_max_size</key>
    77. <value>4194304</value>
    78. <description>The maximum post size should as small as reasonably possible to mitigate the risk of DOS attacks.</description>
    79. </entry>
    80. <entry>
    81. <type>ini</type>
    82. <key>register_long_arrays</key>
    83. <value>0</value>
    84. <description>Populates HTTP_*_VARS which should no longer be used.</description>
    85. <version>50300</version>
    86. </entry>
    87. <entry>
    88. <type>ini</type>
    89. <key>register_globals</key>
    90. <value>0</value>
    91. <description>Highly dangerous feature enabling variables to be defined in scripts from the GPC paramaters. This should be always be turned off.</description>
    92. <version>50300</version>
    93. </entry>
    94. <entry>
    95. <type>ini</type>
    96. <key>session.hash_function</key>
    97. <value>1</value>
    98. <description>MD5 should be replaced with SHA-160 as it is a more complex and secure hashing algorithm.</description>
    99. <version>50000</version>
    100. </entry>
    101. <entry>
    102. <type>ini</type>
    103. <key>session.hash_bits_per_character</key>
    104. <value>5</value>
    105. <description>The number of bits encoded per character of the session key.</description>
    106. <version>50000</version>
    107. </entry>
    108. <entry>
    109. <type>ini</type>
    110. <key>session.entropy_file</key>
    111. <value net="">/dev/random</value>
    112. <description>Provides a random seed for generating the session.</description>
    113. </entry>
    114. <entry>
    115. <type>ini</type>
    116. <key>session.entropy_length</key>
    117. <value>32</value>
    118. <description>The number of bytes to read for gathering entropy for session generation.</description>
    119. </entry>
    120. <entry>
    121. <type>ini</type>
    122. <key>session.name</key>
    123. <value>Custom String</value>
    124. <description>The name given to the PHP Session. It is recomended this be changed from the default.</description>
    125. </entry>
    126. <entry>
    127. <type>ini</type>
    128. <key>session.save_path</key>
    129. <value>/custom/location</value>
    130. <description>The save path for the session should be changed from the default /tmp.</description>
    131. </entry>
    132. <entry>
    133. <type>ini</type>
    134. <key>session.use_trans_sid</key>
    135. <value>0</value>
    136. <description>Sessions should not be allowed in GET paramaters.</description>
    137. </entry>
    138. <entry>
    139. <type>ini</type>
    140. <key>display_errors</key>
    141. <value>0</value>
    142. <description>Error messages should be suppressed</description>
    143. </entry>
    144. <entry>
    145. <type>ini</type>
    146. <key>allow_url_fopen</key>
    147. <value>0</value>
    148. <description>Remote files should not be accessable using fopen.</description>
    149. </entry>
    150. <entry>
    151. <type>ini</type>
    152. <key>allow_url_include</key>
    153. <value>0</value>
    154. <description>You should not be able to include remote scripts using include.</description>
    155. </entry>
    156. <entry>
    157. <type>ini</type>
    158. <key>session.cookie_httponly</key>
    159. <value>1</value>
    160. <description>Cookies must be httponly by default</description>
    161. <version>50200</version>
    162. </entry>
    163. <entry>
    164. <type>ini</type>
    165. <key>open_basedir</key>
    166. <value>/the/webroot</value>
    167. <description>Limit the files that can be opened by PHP to the webroot.</description>
    168. </entry>
    169. <entry>
    170. <type>ini</type>
    171. <key>upload_tmp_dir</key>
    172. <value>/custom/location</value>
    173. <description>Change the location of where files are initally uploaded to</description>
    174. </entry>
    175. <entry>
    176. <type>ini</type>
    177. <key>max_execution_time</key>
    178. <value>20</value>
    179. <description>Execution time should be limited to 20 seconds or less.</description>
    180. </entry>
    181. <entry>
    182. <type>ini</type>
    183. <key>max_input_nesting_level</key>
    184. <value>32</value>
    185. <description>Maximum level of nesting of objects 32 is sufficent.</description>
    186. </entry>
    187. <entry>
    188. <type>ini</type>
    189. <key>enable_dl</key>
    190. <value>0</value>
    191. <description>Disable loading of dynamic extensions.</description>
    192. </entry>
    193. <entry>
    194. <type>ini</type>
    195. <key>display_startup_errors</key>
    196. <value>0</value>
    197. <description>Startup errors should be suppressed.</description>
    198. </entry>
    199. <entry>
    200. <type>ini</type>
    201. <key>log_errors</key>
    202. <value>1</value>
    203. <description>All errors generated by PHP should be logged to a file.</description>
    204. </entry>
    205. <entry>
    206. <type>ini</type>
    207. <key>log_errors_max_len</key>
    208. <value>2048</value>
    209. <description>At least 2048 characters of the error message should be stored in the error log.</description>
    210. </entry>
    211. <entry>
    212. <type>ini</type>
    213. <key>error_log</key>
    214. <value net="">/custom/location</value>
    215. <description>Should be set to the location of the php error log.</description>
    216. </entry>
    217. <entry>
    218. <type>const</type>
    219. <key>LIBXML_NOENT</key>
    220. <value>0</value>
    221. <description>External entities should be disabled for XML parsing</description>
    222. </entry>
    223. <entry>
    224. <type>ini</type>
    225. <key>session.use_only_cookies</key>
    226. <value>1</value>
    227. <description>Session variables should only be passed in cookies.</description>
    228. </entry>
    229. <entry>
    230. <type>const</type>
    231. <key>LIBXML_NONET</key>
    232. <value>0</value>
    233. <description>Network access for XML parsers should be disabled.</description>
    234. </entry>
    235. <entry>
    236. <type>disable_functions</type>
    237. <list>
    238. <function>fsocket_open</function>
    239. <function>pack</function>
    240. <function>escapeshellarg</function>
    241. <function>escapeshellcmd</function>
    242. <function>exec</function>
    243. <function>passthru</function>
    244. <function>proc_close</function>
    245. <function>php_uname</function>
    246. <function>getmyuid</function>
    247. <function>getmypid</function>
    248. <function>passthru</function>
    249. <function>leak</function>
    250. <function>listen</function>
    251. <function>diskfreespace</function>
    252. <function>tmpfile</function>
    253. <function>link</function>
    254. <function>ignore_user_abort</function>
    255. <function>set_time_limit</function>
    256. <function>limit</function>
    257. <function>exec</function>
    258. <function>highlight_file</function>
    259. <function>show_source</function>
    260. <function>fpaththru</function>
    261. <function>virtual</function>
    262. <function>posix_ctermid</function>
    263. <function>posix_getcwd</function>
    264. <function>posix_getegid</function>
    265. <function>posix_geteuid</function>
    266. <function>posix_getgid</function>
    267. <function>posix_getgrgid</function>
    268. <function>posix_getgrnam</function>
    269. <function>posix_getgroups</function>
    270. <function>posix_getlogin</function>
    271. <function>posix_getpgid</function>
    272. <function>posix_getpgrp</function>
    273. <function>posix_getpid</function>
    274. <function>posix</function>
    275. <function>posix_getpwnam</function>
    276. <function>posix_getpwuid</function>
    277. <function>posix_getrlimit</function>
    278. <function>posix_getsid</function>
    279. <function>posix_getuid</function>
    280. <function>posix_isatty</function>
    281. <function>posix_kill</function>
    282. <function>posix_mkfifo</function>
    283. <function>posix_setegid</function>
    284. <function>posix_seteuid</function>
    285. <function>posix_setgid</function>
    286. <function>posix_setpgid</function>
    287. <function>posix_setsid</function>
    288. <function>posix_setuid</function>
    289. <function>posix_times</function>
    290. <function>posix_ttyname</function>
    291. <function>posix_uname</function>
    292. <function>proc_open</function>
    293. <function>proc_close</function>
    294. <function>proc_get_status</function>
    295. <function>proc_nice</function>
    296. <function>proc_terminate</function>
    297. <function>phpinfo</function>
    298. <function>proc_open</function>
    299. <function>shell_exec</function>
    300. <function>system</function>
    301. <function>set_time_limit</function>
    302. <function>ini_alter</function>
    303. <function>dl</function>
    304. <function>popen</function>
    305. <function>parse_ini_file</function>
    306. </list>
    307. </entry>
    308. </rules>

    style.css代码如下:

    1. @CHARSET "UTF-8";
    2.  
    3. body {background-color: #ffffff; color: #000000;}
    4. body, td, th, h1, h2 {font-family: sans-serif;}
    5. pre {margin: 0px; font-family: monospace;}
    6. table {border-collapse: collapse;}
    7. td, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline;  padding-left:5px; padding-right:5px;}
    8. h1 {font-size: 150%;}
    9. h2 {font-size: 125%;}
    10. .p {text-align: left;}
    11. .e {background-color: #ccccff; font-weight: bold; color: #000000;}
    12. .h {background-color: #9999cc; font-weight: bold; color: #000000;}
    13. .v {background-color: #cccccc; color: #000000; padding-left:5px;}
    14. .r {background-color: #c50000; color: #000000;  padding-left:5px;}

    三个文件已经打包:php-security-check.zip
    转自:http://lanlan611.sinaapp.com/?p=112

    标签:PHP 发布于:2019-11-24 01:30:59
    标签云
    精彩推荐
    猜你喜欢