30 Jan
2013
30 Jan
'13
5:42 p.m.
So I've decideed to join the cool kids and try PHP - in particular, I've
installed roundcube.
Is there any good info out there on securing php? I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
There's nothing all that good that shows up on a quick google - it
mostly seems focused at developers rather than running other people's
PHP code.
Michael
30 Jan
30 Jan
5:52 p.m.
Hi Michael,
On Wed, Jan 30, 2013 at 05:42:57PM +0000, Michael Stevens wrote:
So I've decideed to join the cool kids and try PHP
- in particular, I've
installed roundcube.
Well, PHP was cool 5 years ago, now it's all ruby, node.js and
clojure. :)
Is there any good info out there on securing php?
I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
If "don't run PHP" doesn't work for you then my best advice is:
- Keep it up to date
- Run as few plugins, modules etc as possible and keep *those* up to date
- Expect to be compromised, so try to secure your PHP execution
environment from the rest of your server.
e.g. do assume that at some point an attacker will get to execute
commands as the user that is running your PHP app so try to reduce
what the app can do.
Good luck!
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
5:55 p.m.
On Wed, Jan 30, 2013 at 5:52 PM, Andy Smith <andy(a)bitfolk.com> wrote:
Hi Michael,
On Wed, Jan 30, 2013 at 05:42:57PM +0000, Michael Stevens wrote:
That recently? ;-p Surely Python had already displaced
Perl and PHP by then.
So I've decideed to join the cool kids and
try PHP - in particular, I've
installed roundcube.
Well, PHP was cool 5 years ago now it's all ruby, node.js and clojure. :)
Indeed :)
Adam
(proud to have been hacking Ruby since 2001)
6:15 p.m.
On Wed, Jan 30, 2013 at 05:52:38PM +0000, Andy Smith wrote:
Hi Michael,
On Wed, Jan 30, 2013 at 05:42:57PM +0000, Michael Stevens wrote:
Eh. As much as I like to hate on php, any poorly written web application
is just as vulnerable. mod_php's default model just tends to be
inherently insecure, and silly application devs often solve permissions
issues with 777 "because it's just easier" (or maybe they're just
ignorant of how to *properly* secure a directory which needs to be
writable by the application)
That being said, "don't run PHP" :)
So I've decideed to join the cool kids and
try PHP - in particular, I've
installed roundcube.
Well, PHP was cool 5 years ago, now it's all ruby, node.js and
clojure. :)
Is there any good info out there on securing php?
I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
If "don't run PHP" doesn't work for you then my best advice is: - Keep it up to date
And the moment you stop using it, get rid of it. If you're not using it
daily, remove it. So many times at dreamhost customers were compromised
because of an application they'd installed and forgotten about which was
vulnerable. Keep an inventory of your applications, keep them up to
date. Purge early and purge often.
- Expect to be compromised, so try to secure your PHP
execution
environment from the rest of your server.
e.g. do assume that at some point an attacker will get to execute
commands as the user that is running your PHP app so try to reduce
what the app can do.
I can't agree with this statement any harder than I am right now. This
statement is basically web application security from an ops perspective
in a nutshell.
-Jeremy
31 Jan
31 Jan
7:24 a.m.
On 2013/01/30 8:15 PM, Jeremy Kitchen wrote:
Yeah. Definately agree here.
I don't run other people's code. I have one developer who works with me,
who uses wordpress - and he's not had any issues yet (touch wood), due
to keeping up-to-date, etc.
I write my own code. I write it securely. And then even if you manage to
get into my system, most of the times you can't even change my data
(user is read-only). You can't traverse the filesystem.
My own code has actually once been targeted by an international hackers
group. On a specific site (out of loads I have done) they managed to get
in via an obscure sql injection, and stole a load of *public*
information, and unfortunately a list of my sha1 passwords for logins to
that site (±100 users).
"$ update users set password='.';" invalidated all those passwords in a
couple of milliseconds. Our support staff had to simply re-generate
those passwords as the clients complained. And some of the clients
accessed that site once a month or less, so no huge strain on them.
Eh. As much as I like to hate on php, any poorly
written web application
is just as vulnerable. mod_php's default model just tends to be
inherently insecure, and silly application devs often solve permissions
issues with 777 "because it's just easier" (or maybe they're just
ignorant of how to *properly* secure a directory which needs to be
writable by the application)
I once had a _senior_ developer ask me how unix permissions works, as he
could not execute any commands. I don't know if his PATH was wrong or
anything as I wasn't allowed to touch the box. He ended up googling and
doing a... wait for it...
chmod -R 777 /
I saw that later on. Luckily I don't work there anymore.
Keep an inventory of your applications, keep them up
to
date. Purge early and purge often.
If any of these applications provides a "updates" or "security" list
join them.
- Expect to be
compromised, so try to secure your PHP execution
environment from the rest of your server.
e.g. do assume that at some point an attacker will get to execute
commands as the user that is running your PHP app so try to reduce
what the app can do.
I can't agree with this statement any harder than I am right now. This
statement is basically web application security from an ops perspective
in a nutshell.
30 Jan
30 Jan
6:49 p.m.
On Wed, Jan 30, 2013 at 05:52:38PM +0000, Andy Smith wrote:
Up till now this has been my strategy, and I'm still considering
sticking with it.
Is there any
good info out there on securing php? I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
If "don't run PHP" doesn't work for you then my best advice is: - Keep it up to date
I'm using the debian packages, and it's all set to auto-update.
- Run as few plugins, modules etc as possible and keep
*those* up to date
- Expect to be compromised, so try to secure your PHP execution
environment from the rest of your server.
e.g. do assume that at some point an attacker will get to execute
commands as the user that is running your PHP app so try to reduce
what the app can do.
This seems depressing but possibly sensible. I did find some references
to things like ensuring the php user can't send mail, but annoyingly I
actually want this app to send mail!
The PHP hate is making me think it may all have been a bad idea.
Michael
6:57 p.m.
Hello,
On Wed, Jan 30, 2013 at 06:49:33PM +0000, Michael Stevens wrote:
The PHP hate is making me think it may all have been a
bad idea.
PHP sucks but it's incredibly popular. There are mitigations and
coping strategies..
If the best implementation of the app I wanted to run was in PHP
then I would still run it.
http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/ is
a fun read.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
6:06 p.m.
On Wed, Jan 30, 2013 at 05:42:57PM +0000, Michael Stevens wrote:
So I've decideed to join the cool kids and try PHP
- in particular, I've
installed roundcube.
You've picked a doozy of an application to start with! :)
Is there any good info out there on securing php?
I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
My best advice: make your docroot read-only to the application. Make the
files owned by root or something and your apache/mod_php (assuming
you're using mod_php) processes run as your apache/www-data/whatever
user.
Also, if any documentation tells you to chmod 777 a directory, burn it.
Burn the person who wrote said documentation, and stop using the
project. Or, submit an issue :)
If users have *any* control of files within your docroot (say, an
uploads directory, or something) make sure you have all of the
requisite settings like:
RemoveHandler .php
Options -ExecCGI -Indexes -Includes
AllowOverride None
(this is all assuming apache, btw)
Maybe even go as far as to limit referrers to content within that dir,
but that's pretty trivial to bypass if you're trying to prevent an
insecure application from becoming a warez dump.
There's nothing all that good that shows up on a
quick google - it
mostly seems focused at developers rather than running other people's
PHP code.
Also, the question is pretty broad. You might try to focus your search
by searching for the specific application you're trying to run.
Here are some general sub-categories of "securing php" I can think of:
1. Writing secure PHP code (see: perl)
2. Securing mod_php in a shared hosting environment (see: cgi)
3. chmod 777, fire, and you. (see: fire)
4. Preventing SQL injection vulnerabilities in PHP (see: PDO and
parameterized queries)
As I said, though, you'll probably have a lot better luck with your
search if you narrow it some. Securing web applications is a huge topic,
and any time you run someone else's code on your system, you're opening
yourself up to a potential vulnerability.
Make sure to get on the -announce mailing list for any php applications
you're running, watch very closely for security vulnerabilities. If
there are any security upgrades, upgrade *immediately*.
I would also highly recommend keeping a local
git/svn/darcs/hg/cvs/whatever of your application and pull in patches
that way. The primary benefit of this in a security sense is if your
application is compromised, you can simply do a "svn status" or
equivalent within your docroot to see if any new files were added to the
application code. You'll of course want to set svn:ignore (or
equivalent) on any uploads directories or such, but you've already
locked down that directory to prevent script execution in there, yes? :)
I feel I must warn you one last time, since this is *such* a common
thing. DO NOT. EVER. chmod 777 a directory for a web application. There
should exist no more than 2 chmod 777 directories on a given system:
/tmp
/var/tmp
Anything more than that and you're doing it wrong.
Sure, you may need to provide relaxed permissions for an application to
work, for instance wordpress needs to write to its uploads directory.
But 777 is not the answer. Make it root:apache 775 or something, or
better yet, run wp under cgi/fcgi as a separate user and make that user
the one who owns that directory (but not the rest of the docroot!)
If you're trying to set up some sort of shared hosting (even if it's
just for a friend or 2), do not use mod_php. mod_php is impossible to
secure in a shared hosting environment without placing huge limits on
what the application can do (safe_mode, open_basedir, etc) which often
are incompatible with off-the-shelf applications. One could argue that
those applications are simply poorly written, and normally I would
agree, but there are better models for securing applications on a unix
system than relying on your language interpreter to disallow certain
things.
Additionally, you may want to look into mod_security for apache. It can
often detect and prevent possible intrusion attacks before they even get
to your application, however keep in mind that depending on your
ruleset, you may end up with a large number of false positives. If you
have complete control of your application and know exactly everything
that might be used with it (request parameters, etc) then it's great,
though not a replacement for proper security in your code. See it as one
more layer of protection.
Anywho, I just realized I'm rambling. Sorry about that.
Good luck!
-Jeremy
6:22 p.m.
On Wed, Jan 30, 2013 at 6:06 PM, Jeremy Kitchen <kitchen(a)kitchen.io> wrote:
I feel I must warn you one last time, since this is
*such* a common
thing. DO NOT. EVER. chmod 777 a directory for a web application. There
should exist no more than 2 chmod 777 directories on a given system:
/tmp
/var/tmp
Actually, these should NOT be 777, but 1777 (assuming we're talking
Linux systems here)...
Jon
6:51 p.m.
On Wed, Jan 30, 2013 at 10:06:36AM -0800, Jeremy Kitchen wrote:
Additionally, you may want to look into mod_security
for apache. It can
often detect and prevent possible intrusion attacks before they even get
to your application, however keep in mind that depending on your
ruleset, you may end up with a large number of false positives. If you
have complete control of your application and know exactly everything
that might be used with it (request parameters, etc) then it's great,
though not a replacement for proper security in your code. See it as one
more layer of protection.
Anywho, I just realized I'm rambling. Sorry about that.
I did some testing on this, but it looked like it was going to take a
lot of setup to get around the false positive problem and I got pissed
off with the whole thing.
I like the idea of mod_security though.
Michael
6:57 p.m.
I quite like PHP, one of the first languages I learnt, it has it's quirks
and can be written terribly if a programmer doesn't keep on top of his
game. I like to think of PHP as a building block, because of it's low
barrier for entry it's one of the first programming languages a lot of
people learn, and it isn't too bad (I've seen worse) - of course once you
grasp the basic and object oriented concepts from PHP it mainly echo's
across languages, it makes moving onto something like Python or Perl a lot
easier and even into C++/C#
A lot of people just stick at the low barrier and write crappy code, but
some go on and become brilliant programmers who maybe wouldn't have had the
chance without PHP.
7:19 p.m.
On 30/01/2013 18:57, Daniel Case wrote:
I quite like PHP, one of the first languages I learnt,
it has it's
quirks and can be written terribly if a programmer doesn't keep on top
of his game. I like to think of PHP as a building block, because of
it's low barrier for entry it's one of the first programming languages
a lot of people learn, and it isn't too bad (I've seen worse) - of
course once you grasp the basic and object oriented concepts from PHP
it mainly echo's across languages, it makes moving onto something like
Python or Perl a lot easier and even into C++/C#
A lot of people just stick at the low barrier and write crappy code,
but some go on and become brilliant programmers who maybe wouldn't
have had the chance without PHP.
+1
Couldn't agree more. The language has its issues (as do all) but I don't
think it deserves such a bad rap. Granted that languages may be better
suited to certain tasks/projects, but that's not to say don't use PHP.
OP - Don't let the haters put you off!
Luke
31 Jan
31 Jan
12:53 p.m.
On 30/01/13 18:06, Jeremy Kitchen wrote:
If you're trying to set up some sort of shared
hosting (even if it's
just for a friend or 2), do not use mod_php. mod_php is impossible to
secure in a shared hosting environment without placing huge limits on
what the application can do (safe_mode, open_basedir, etc) which often
are incompatible with off-the-shelf applications.
What do you think of mod_suphp?
Anywho, I just realized I'm rambling. Sorry about
that.
Not at all, it was good stuff.
I'll stick in my 2p.
You can write Bad Code in any language.
Corollary: some languages make it easier than others. PHP is one.
In PHP's case the low barrier to entry means that there's a lot of code
running live that should *never* have been released into the wild.
5:24 p.m.
On Thu, Jan 31, 2013 at 12:53:25PM +0000, Dom Latter wrote:
On 30/01/13 18:06, Jeremy Kitchen wrote:
Last time I investigated it, it was just loads of hacky. php as cgi is
cleaner, imo. But that was probably 4 years ago at this point, there may
have been significant improvements.
That being said, someone brought up mpm-itk, which seems like either
a fork or rewrite or independent project similar to apache's ill-fated
perchild mpm, and that's definitely appealing, but I think with fastcgi,
fpm, etc the problem is mostly solved at this point.
-Jeremy
If you're trying to set up some sort of shared
hosting (even if it's
just for a friend or 2), do not use mod_php. mod_php is impossible to
secure in a shared hosting environment without placing huge limits on
what the application can do (safe_mode, open_basedir, etc) which often
are incompatible with off-the-shelf applications.
What do you think of mod_suphp? 
30 Jan
30 Jan
6:24 p.m.
Time for an intervention! Friends don't let friends do PHP!
Seriously though, the only good reason I can think off to learn PHP is
that you're desperate for work. If that's the case go ahead - but bear
in mind that PHP is usually a sign that someone other than the
technical architect or the lead developer makes the technology
choices. Those companies usually do not provide nice environments to
work in - they may have a cool office, and a fridge full of beer, but
your frustration levels will get very high very quickly. So, if
you're desperate, go for it.
If instead your aim is to build interesting web applications without
too much effort, PHP does have a very low barrier to entry, but it
will frustrate you massively if you have experience with any well
structured, reliable and consistent language. Languages with a
similarly low barrier to entry, and instant rewards are Python and
Ruby. Both of those languages also pay off in the long run, and
you're only going to get really frustrated when you start trying to
make them run concurrently at large scales. By that point, well,
you're playing a different ball game all round. If you have a bit
of programming experience and you're looking to learn something new
for fun then I'd recommend Google Go (http://golang.org) - which has
excellent support for building web applications.
--
Geoff Teale
Software Engineer
Canonical Ltd
<tealeg(a)gmail.com>
<geoffrey.teale(a)canonical.com>
On 30 January 2013 18:42, Michael Stevens <mstevens(a)etla.org> wrote:
So I've decideed to join the cool kids and try PHP
- in particular, I've
installed roundcube.
Is there any good info out there on securing php? I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
There's nothing all that good that shows up on a quick google - it
mostly seems focused at developers rather than running other people's
PHP code.
Michael
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
6:32 p.m.
Hello,
On Wed, Jan 30, 2013 at 07:24:09PM +0100, Geoffrey Teale wrote:
Time for an intervention! Friends don't let
friends do PHP!
Yet tons of useful apps have extremely popular implementations in
PHP. e.g. Wordpress, Mediawiki.
I already advised "don't run PHP", but it's often not useful /
practical advice.
Seriously though, the only good reason I can think off
to learn PHP is
that you're desperate for work.
OP is proposing to run a PHP app, not become a PHP developer.
I see plenty of people making happy lives earning money writing PHP
code though so I don't think the industry is doomed just yet.
If you have a bit of programming experience and
you're looking to
learn something new for fun then I'd recommend Google Go
(http://golang.org) - which has excellent support for building web
applications.
Is there a good alternative to Roundcube but written in Go?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
6:40 p.m.
Andy Smith <andy(a)bitfolk.com> writes:
OP is proposing to run a PHP app, not become a PHP
developer.
Ha, well then I've got completely the wrong end of the stick, go ahead! ;-)
I see plenty of people making happy lives earning money writing PHP
code though so I don't think the industry is doomed just yet.
I don't think the industry is doomed at all - I just don't think PHP is
the most likely route to follow if you're looking for a *good*,
fulfilling programming job! It's actually true of Java, and perhaps
.NET as well - though the code level issues with the languages are very
different. You'll almost definitely be able to find work with those
skills for many years though.
Is there a good alternative to Roundcube but written
in Go?
No idea. Given that I thought he was talking about programming, it's
probably an irrelevant point. He could always write one ;-)
--
Geoffrey Teale
tealeg(a)gmail.com
7:06 p.m.
On Wed, Jan 30, 2013 at 07:40:31PM +0100, Geoffrey Teale wrote:
I don't think the industry is doomed at all - I
just don't think PHP is
the most likely route to follow if you're looking for a *good*,
fulfilling programming job! It's actually true of Java, and perhaps
.NET as well - though the code level issues with the languages are very
different. You'll almost definitely be able to find work with those
skills for many years though.
Except that some of the biggest players in the industry (us) use PHP. We
hire some of the best software engineers in the industry, and quite a few
of them like PHP. We've done numerous things to the language and its runtime
to make it better.
I would try and plug HHVM but I don't think that it's necessarily a good
idea for appllications not written to support its features, in particular
the XHP side.
Much as I loathe PHP, and I still do, (a) now that I've seen our PHP, I've
actually seen PHP that doesn't suck, and (b) to dismiss it out of hand is
somewhat self-defeating, as big players (the BBC and Facebook at least as
my last 2 employers) are using it, and have enough invested in it to
continue doing so for the forseeable future.
Cheers
MBM (not speaking for my employer, obviously)
6:46 p.m.
On Wed, Jan 30, 2013 at 06:32:14PM +0000, Andy Smith wrote:
I am actually fairly dubious about running PHP, so a nice webmail client
in a language with a less dodgy reputation would make me very happy.
I've been running prayer in the past, and whilst it's incredibly
reliable, the user interface is a bit... basic.
Michael
If you have a
bit of programming experience and you're looking to
learn something new for fun then I'd recommend Google Go
(http://golang.org) - which has excellent support for building web
applications.
Is there a good alternative to Roundcube but written in Go? 
7:27 p.m.
On 30/01/2013 17:42, Michael Stevens wrote:
So I've decideed to join the cool kids and try PHP
- in particular, I've
installed roundcube.
Is there any good info out there on securing php? I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
Despite the general PHP-dislike in the responses, I've happily run PHP
on my server without issue and, while I run SquirrelMail rather than
Roundcube (although I understand that Roundcube is more interactive and
has a nicer interface), I use suhosin, a basic setup of mod_security,
along with fail2ban and use the ITK MPM for Apache instead of prefork -
this enables me to run the VirtualHosts as different users limiting the
scope for compromise, or ensuring that the user does not have any write
permissions.
Gavin
4343
days inactive
4344
days old
19 comments
12 participants
participants (12)
-
Adam Spiers -
Andy Smith -
Daniel Case -
Dom Latter -
Gavin Westwood -
Geoffrey Teale -
Jeremy Kitchen -
Jon Fautley -
Luke Taylor -
Matthew Byng-Maddick -
Michael Stevens -
Peet Grobler