-
Notifications
You must be signed in to change notification settings - Fork 133
/
phpconfigcheck.php
1223 lines (1151 loc) · 56.4 KB
/
phpconfigcheck.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?php
/*
[+] PHP Secure Configuration Checker - (c) 2014 - SektionEins GmbH
-- Ben Fuhrmannek <[email protected]>
[+] Description:
Check current PHP configuration for potential security flaws.
Simply access this file from your webserver or run on CLI.
[+] Idea:
* one single file for easy distribution
* simple tests for each security related ini entry
* a few other tests - not too complicated though
* compatible with PHP >= 7.x
* NO complicated/overengineered code, e.g. no classes/interfaces,
test-frameworks, libraries, ...
-> It is supposed to be obvious on first glance - even for novices -
how this tool works and what it does!
* NO (or very few) dependencies
[+] WARNING:
This tool will only support you setting up a secure PHP environment.
Nothing else. Your setup, software or any related configuration may still
be vulnerable, even if this tool's output suggests otherwise.
[+] Update:
Please check https://github.com/sektioneins/pcc
[+] License:
This tool is licensed under the New BSD License.
See LICENSE file for fulltext version of the license.
[+] Copyright Notes:
Some text fragments were copied from the printed PHP Web Security
Poster with permission. - (C) 2009 SektionEins GmbH
- Concept: Stefan Esser, fukami, Ben Fuhrmannek
*/
/*****************************************************************************/
/* *** *** *** DANGER ZONE!! *** *** *** */
// uncomment to disable IP restrictions by default
// WARNING: better keep access restricted, e.g. set PCC_ALLOW_IP=10.0.0.*
//putenv("PCC_ALLOW_IP=*");
// This script will deactivate after 48 hours automatically.
// To disable this feature, uncomment the line below.
// WARNING: better keep this commented out unless further restrictions apply, e.g. IP check
//putenv("PCC_DISABLE_MTIME=1");
/*****************************************************************************/
$pcc_name = "PHP Secure Configuration Checker";
$pcc_version = "0.2.0";
$pcc_copy = "(c) 2015-2023 SektionEins GmbH / Ben Fuhrmannek";
$pcc_date = "2023-04-04"; // release date for update check
$pcc_url = "https://github.com/sektioneins/pcc"; // download URL
/*****************************************************************************/
PHP_VERSION_ID >= 70100 || die("This version of PCC requires at least PHP 7.1. Please update PHP or check out an older version of PCC -> $pcc_url\n");
/*****************************************************************************/
// test result codes
define("TEST_CRITICAL", "critical"); // critical problem found.
define("TEST_HIGH", "high"); // high problem found.
define("TEST_MEDIUM", "medium"); // medium. this may be a problem.
define("TEST_LOW", "low"); // low. boring problem found.
define("TEST_MAYBE", "maybe"); // potential security risk. please check manually.
define("TEST_COMMENT", "comment"); // odd, but still worth mentioning.
define("TEST_OK", "ok"); // everything is fine. move along.
define("TEST_SKIPPED", "skipped"); // probably not applicable here.
define("TEST_UNKNOWN", "unknown"); // something is unknown.
//bash color codes
define("ANSI_COLOR_critical", "0;31"); //red
define("ANSI_COLOR_high", "1;31"); //light red
define("ANSI_COLOR_medium", "1;33"); //yellow
define("ANSI_COLOR_low", "1;32"); //light green
define("ANSI_COLOR_maybe", "0;36"); //cyan
define("ANSI_COLOR_comment", "1;36"); //light cyan
define("ANSI_COLOR_ok", "0;32"); //green
define("ANSI_COLOR_skipped", "0;37"); //gray
define("ANSI_COLOR_unknown", "1;37"); //dark gray
// globals
$cfg = [ 'output_type' => 'text',
'allowed_output_types' => ['text', 'html'],
'showall' => 0,
'result_codes_default' => [TEST_CRITICAL, TEST_HIGH, TEST_MEDIUM, TEST_LOW, TEST_MAYBE, TEST_COMMENT],
'need_update' => 0];
if (function_exists('json_encode')) {
$cfg['allowed_output_types'][] = 'json';
}
$all_result_codes = [TEST_CRITICAL, TEST_HIGH, TEST_MEDIUM, TEST_LOW, TEST_MAYBE, TEST_COMMENT, TEST_OK, TEST_SKIPPED, TEST_UNKNOWN];
$trbs = []; // test result by severity, e.g. $trbs[TEST_OK][...]
foreach ($all_result_codes as $v) { $trbs[$v] = []; }
$cfg['s1_logo'] = "data:image/gif;base64,R0lGODlhCwFLAOYAAAMlTWV6ku7w8+rt8M7V3LnCzvX2+Nzh5vHz9e/x9NHX32yAmJKhsjVQcEhhfq24xcrR2k5mgr3G0Nne5Bs5XqGuvZ2quiVCZam0wjBMbdXb4ens7+3v8oGSplJphePn6y1Ja97i6IqarOTo7LS+yrO9yWh8lMbO1zpUdCpGaQ4uVYSUqAkqUcLK1KSwv7bAzJaktXyNo3eJn8DI04aWqmp+lpimtkFaeWF2jxY1W3SHnaaywF1zjThTc3GEmyA+Yo6dr3qMoTxWdUVefFpwixAwVh07X3mLoFhuiVZtiBIyWD5Yd/7+/v39/vz8/QssU/v8/ODk6eHl6vj5+r/I0vn6+1Vsh/r7+/f4+ZSis8TM1VBng3+QpTRPcIybrl90jn6PpAYnT8XN1vP19xQzWefq7tPZ4MjP2Bg3XObp7au2xJuouAwsU9fc40NceszT22N4ka+6x4+esHCDmpCfsbvEz9jd4ydEZ5+su6y3xIiYq7G7yHOGnEtjgAAiS////yH5BAAAAAAALAAAAAALAUsAAAf/gH+Cg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys6lQWAhjublYTodMNn0lCbTExcaaTRwTMxYxREMO0Q59ASsYJyFjTYIbbn4AQi4cx+Tl5oYjVCsRRn7u7/DwKXAWVX8tLPARe1jn/v+xToi4oSSewYN+HFSBssIgGxMTAEqcWEpMjXYIM8Kz8YeDEIQZ9lAcSTLThDk/NKp0R6HNnxIAMpLRs62kzZuLmthIsbKnBwN/tGTQGGbOFJxIk/4JkSRfTxUUjEg1ksOpOwtM/kAp46JHRgABxigdO1ICCJVhjFiJgYeKnRBw/0OYeQFjjpA7EQkJqMDzIAAT/cgKNsekQkGEAJREwDDB3qIEIa4c+mDCarwFkgdrJlb4ScYLcxRwskDBL53NqGWtsQwvxwINnyT0jafkRerbrCp4PiiEhKgTdw6CkIK7uCkJOfyaID5KzGx4JqAYnw4qxFCDKugEJiWhdLwitqmL3/TloAqsqGDs1jduvPtKq7GvqXnqSvl4ACq83x+pzXV4ANBAHyoHPOdOHwPwp2BORxwUwHaqMBCGOwDk4EEB0i2ooSFvXGBQAyG4ggAKKqQQAwEbpljIFQ3G80QcsBRQwQcq1jjIBCnFg4ONPMrCxBoGUQDbLArYgGKPCgowhP9BC8xCxQJ3hBEEkgq+UUQ8KpwAyxRqOIDGO24kSKV7Tshh0BC9vCLFf+7kUAAsTWzwAYRjkoLFffCsEUsTSBgkQiRQJJDGCBtgkdUlCXiQggQlMdEEE5BGKimkE5XRRTxh5AWLBax94RgjYxTAhxAUoHGBBwzYcQkHPbAgkiVMCCBWKghgIAcDuOaqKwN0DCnIGAIcagwEV8JzAwKyQPAlPELQyEgIOFCYAwW7ZRAHnZB49EQJsGrRBxwHpHLAWStlMQhlDkggLDEkGORDZrCMGA8FbzCywRJ+hLFFFlSc4UIAxeZRibbcVjJFAO4wkEoUKPhx6hYRRCyxxFQMYoP/O0QAZczF8WSx7isR4PemIk504EcRQMAriAVGZFAxJQQ30gQCBnwMBQxK/OAbKlF4BYajUAQtdNBXCCvBHU/Q8CkxLcKDAS0LxATPDosIkFIAiGih6SQxMzJBBDIgW4gBBYihcik9+7ECJBDs0Z4x0cJTxAy0dCD1O3gsYgcLRRTsSdeLaOFHChvMkjYXH9uEZ5sQ0GLDhPAIqIgCLBih5SeAK3KCH12IGcvhiZcU9zs5nEHLA6zFkCEiGvCtBiVOTLF0IZknAoEfDQhAyRWyQ9KE7KH/ATonTFRRxYCHxD47JqO3afosO6R+diEJeJgEtopAoQANEWTQAA4WOEtI/+2h5vFAAhDQoEcNflDABRAr0BDuH1KIUIHYhZTxwAIoZNADHBVgDiGYoIUYiOEPH8iCBzLQBSSIwxDDawQC8EAD8f1hBjJAkRQssMAMEGEHbyNECIDgAO99QQ0htMTi/FA6WogAcu8wV/YaAoAFSCF41OuACvygAjQoISZd2MOAMjeGBgHAA2OgQUYeIIg6+CEDAhSEE0pwHSVQ4Id+uEMFIASFGPihAwq41BPQkBw/RCBEhEjb2hxhHT/QTRBMkMEXFdAAHqKBDO7YggWZ0AKesCAHh4mAryxhgniwYGSyiMHd3OECRpTBAe64gB5O4LlDjAFhRYDDAyaghRUMpf8IrxIE4ASwAD+wQHV/kMACFpAEFpqAD6scEhUA0IARDNAG+chAB6gQghkA4SN+iMGnnMAFP/QhBSz4oAYgEITkmOAog0gbEV5QgBdY85ovIMEBhCWFS2lhEEzwohuMwAIePKANJ5CBM7djB570wAIK0IIMCnID3V1CDwZp5Cya5w4YMSINJlgWACIQgwLYkxBOoIMfjMBEQnzAA4NDY0eEsC1BDIAIPKTDx8zghx4sb5a1JIQWdsiDwhHCADIIQxgqUBMnNCRfCiMEDMJAhssJgmErWcDquumHbw5CBO5gAUdkyjfRCOJiIJifIPAAAh2kARMuMIgXkNcKKCwJHiz/8GkjCrAAr7hDMX4TRAjIqSd0DGWqohQCC7gVAogaQT+G2FwDKikIkNpSEE2AZB/wh9BCZkB8eHCHDz62Aa8M9aYNS4EVkmCFxjq2sTtIE/28SQiOTYl2XtEnExpigkI0QQOrs8QMYIgxjcEiBAa6gFEfEYU4HKEvZKDD6irgBw8kIqoOaI9HVCCGESzpAogshFzp+ge7DoIAJ2MUIsyQkqcJIg9+QEPjPIswGggrbR2Q3RS2y90p8IIQPNXqH7LgBzIcqRCFFEFNGOAwm3YCR/EwAnFZUYJivWMIJpXEBOiQEjaMrAns+4IESEDgApOgAA25ABo9ooQYQLIH0z3E/3ANYVxBKHQJ2JNieVD5Bwwk5KCE8OIKruuVNTYivIQgrxDuWggd+EG9giBASi7gAwy8YRibQAAk46FcWHBhkX7QAVUfwQQSJGcBR4ECJPlWhCY7ucn5MEJeOHADAHgmDHXQHO6IW+E/lHJHigCDH3AQGA+D2RDFtG40vYI4R6B4EOTN2CF88OKaNKEA5OohCmpwwExcwcWXicUYgPkOAOjTEi52w1OhcIMnEoGxj21sErawAJMyeAFnGYJE47plCtOSxew7MyJMRoRZmRkRYlbzTdmMw0K8WRDkrcGQ6QzjQQxgDzwAQbGKIIdWP0INQL7AfFMhgWW9IwWrrURgU/8QESeUpwNMcIK0py3tJjiBPh5hwwzOkJIeJJsQEy5ElxsyhOURgn0ycMypD5FqEvuhzSemLJz9YALJEoLWVG3CFczAAK9QwJ+XiEJw4BGGw7KCCYWMx08wcbEMhIsJQPCDG6aHiJi9ICUpcO8gwk2ILhdgod92aB3R0+Exo9oPqhYeq90sb1jT296DwLciJnAWrGECC3MwyBKgyQoZY8rgiRgDCWwA819BNAliIwALlOBcQxBgBtvpWgFmrPE/iAF3KSzupwdhAJ6YIHheaJ+v1m2Idq/53b4exKvH+/I51/lXZqATFEoZAU1IgDVhyBsrrlDKeDC7EXKYEBBg3oT/FcREhn8wgF/POwgIZOAJiAQcFYYC3EJcHQT5HUSX/7ADPzyBDkV3QXLAwHOyF8Lsq37xI9ZO3nq7HcYI0MEFTuPQofBBEwnog0FAYEFUzACP8ehsI1ywwzAEgARSGMAH6rCACeGXEBMITgpsoIEBlIEAcgjODyKsrZ3FeChoeN0gDsACNnRgA2UoQBTquvVBTKHvx4+CoDDomQhU0vSEQL3wGjYEL/j//wAoAhagdi33BzDQdoYgc/fiBw0mBmUwAFRgBX6wfZvgAuvxDjqwCrlnEDnAeIuwB9dRBA2wBD1QRg5gBnF1VReAAj2QI27QAoQwAGchfsc1FE/AAIHB/3ff0AMN8ATO9XEpEEV/gAAxwAamlAFC0AB4BAA10HtRRQSI4GI/M37kohIAMAio5Qc99gdAhQMUBwdflCYEsGMU0AM9gEc5AFeaMABXJTcCgwouBWR+YHOPMAFAcAMwBABuQAeZRwgbwEHtAABG4AFr8FSEgAAykAQRdlw44AY8oCrcIAMewgJDYFRm4AE6kHVOQAUy0APFlwE1UALYogU3EFOGsAM3QIN/MAAy0AcesAWwGIuyGAFnNgA64AGDRAIOQHSHsAYOEAf0sQE2YAUpAQB3YAISMGSWgAH2dWweOApxcIHu8ANb4whxQgASUAB1AAHDRggJcAAEQAATgP9jhcAEY5AAoTUIY8ABA2Baf1AFIQABCjAANREoCKCMVVAGGvAGBJAGGXYF7YgIWDAAENIE65gACJmQComQ+DMzCWBvVcAB7kgIWMABPDcI3xiOUTCRmuAEPHAQbrB+pXAGGAEgf1InG6IBBnIgQvgJCsAm7+AAfIWSCmKBB+EAm+YJWlCFrRFyNMkfgGYQPfA8ndAELuAdhtR0P6khYwBRB/EDa3CRmLABMcAaFNIByriU7zECO2YQAMADz0gJe9CGBmEC5qaV/DECuocQFyADKFgJdWACh3EQOECOaJkiH7CWbGkCM5B2FIkBHmBsXjkHdnmXKTICH6kRZIACBXWoALNiCAPQBnGwACmwQxkRBiuQYYa5IAawAs3oFyzwA27wBXygAx0QAzowB0lQglZpED8QWZtJJQXQAHLYE7ZpSh7gErE5JgNwBCV5m7aZAVmQlbtZIydgAjkCnBqRAjKQk8VZJ2JAmcppEGHQAzSgm8+JlgQAA0mQAqS1EmzQAAGAAc6ZnVqZABqAAR3AAw2AlADyA0KAAyJQAgegmeZ5n/iZn/qplYEAADs=";
$cfg['s1_logo_aa'] = "
`.-:///:-.` /+-`
`/shmmmmmmmmmm:.dmmds:
`/ymmmdyo/::-::// `:sdmmh:
/hmmdo- `+dmmy.
`smmd/` .ymmh`
`hmmy. /-`
ymmy` -oyy
-mmm- .dmm: --- $pcc_name
+mmh ymmo --- Version $pcc_version
ommh ymms --- $pcc_copy
:mmd. `dmm/ ---- https://sektioneins.de/
`hmms +mmd`
-dmmo +mmd:
-dmmy. .smmd:
`smmms- -sdmmy.
-sdmmds+:.`` `.-/sdmmms-
`/sdmmmmmdddmmmmmds/`
.:/ossssso+:. ";
/*****************************************************************************/
// are we running as cli?
if (php_sapi_name() == "cli") {
$cfg['output_type'] = "text";
$cfg['is_cli'] = true;
if (function_exists('getopt')) {
foreach (getopt("hja") as $k => $v) {
switch ($k) {
case 'h':
$cfg['output_type'] = 'html';
break;
case 'j':
if (!in_array('json', $cfg['allowed_output_types'])) {
die("json output not supported");
}
$cfg['output_type'] = 'json';
break;
case 'a':
$cfg['showall'] = 1;
break;
}
}
}
} else {
$cfg['output_type'] = "html";
$cfg['is_cli'] = false;
// mtime check
$cfg['PCC_DISABLE_MTIME'] = getenv("PCC_DISABLE_MTIME");
$cfg['SCRIPT_FILENAME'] = getenv("SCRIPT_FILENAME");
if (!$cfg['PCC_DISABLE_MTIME'] && $cfg['SCRIPT_FILENAME'] !== FALSE) {
if (filemtime($cfg['SCRIPT_FILENAME']) + 2*24*3600 < time()) {
die("mtime check failed. - For security reasons this script was disabled automatically after a while.\n Please 'touch' me, or set the environment variable 'PCC_DISABLE_MTIME=1' (e.g. 'SetEnv PCC_DISABLE_MTIME 1' for apache/.htaccess)");
}
}
// IP check
$cfg['REMOTE_ADDR'] = getenv("REMOTE_ADDR");
$cfg['PCC_ALLOW_IP'] = getenv("PCC_ALLOW_IP");
if ($cfg['REMOTE_ADDR'] !== FALSE) {
if (!in_array($cfg['REMOTE_ADDR'], ["127.0.0.1", "::1"], TRUE)
&& !($cfg['PCC_ALLOW_IP'] !== FALSE && fnmatch($cfg['PCC_ALLOW_IP'], $cfg['REMOTE_ADDR']))) {
die("Access denied. - Your IP is not cleared. Please set PCC_ALLOW_IP to your IP address or a wildcard pattern, e.g. 'SetEnv PCC_ALLOW_IP 10.0.0.*'");
}
}
// output type
if (isset($_GET['format']) && in_array($_GET['format'], $cfg['allowed_output_types'], true)) {
$cfg['output_type'] = $_GET['format'];
} elseif (in_array(getenv('PCC_OUTPUT_TYPE'), $cfg['allowed_output_types'], true)) {
$cfg['output_type'] = getenv('PCC_OUTPUT_TYPE');
}
switch ($cfg['output_type']) {
case 'text':
header("Content-Type: text/plain; charset=utf-8");
break;
case 'json':
header("Content-Type: application/json; charset=utf-8");
break;
case 'html':
header("Content-Type: text/html; charset=utf-8");
break;
}
// do not hide unknown/skipped/ok tests
if (isset($_GET['showall']) && $_GET['showall'] === "1") {
$cfg['showall'] = 1;
}
}
// detect OS
$cfg['is_win'] = strtoupper(substr(PHP_OS, 0, 3)) === 'WIN';
// detect CGI
$cfg['is_cgi'] = (substr(php_sapi_name(), 0, 3) === 'cgi');
/*****************************************************************************/
// functions
function tdesc($name, $desc=NULL) {
return [
"name" => $name,
"desc" => $desc,
"result" => NULL,
"reason" => NULL,
"recommendation" => NULL
];
}
function tres($meta, $result, $reason=NULL, $recommendation=NULL) {
global $trbs;
$res = array_merge($meta, ["result" => $result, "reason" => $reason, "recommendation" => $recommendation]);
$trbs[$result][] = $res;
}
function ini_atol($val)
{
$ret = intval($val);
$val = strtolower((string)$val);
switch (substr($val, -1)) {
case 'g': $ret *= 1024;
case 'm': $ret *= 1024;
case 'k': $ret *= 1024;
}
return $ret;
}
function ini_list($val)
{
if ($val == "") {
return NULL;
}
$ret = preg_split('/[, ]+/', $val);
if (count($ret) == 1 && $ret[0] == "") {
return NULL;
}
return $ret;
}
function is_writable_or_chmodable($fn)
{
if (!extension_loaded("posix")) { return is_writable($fn); }
$stat = stat($fn);
if (!$stat) { return false; }
$myuid = posix_getuid();
$mygids = posix_getgroups();
if ($myuid == 0 ||
$myuid == $stat['uid'] ||
in_array($stat['gid'], $mygids) && $stat['mode'] & 0020 ||
$stat['mode'] & 0002) {
return true;
}
return false;
}
function is_on($v)
{
if ($v == "0" || $v === "" || strtolower($v) == "off") { return 0; }
return 1;
}
/*****************************************************************************/
function test_all_ini_entries()
{
global $cfg;
$helptext = [
"display_errors" => "Error messages can divulge information about the inner workings of an application and may include private information such as Session-ID, personal data, database structures, source code exerpts. It is recommended to log errors, but not to display them on live systems.",
'log_errors' => "While it may be a good idea to avoid logging altogether from a privacy point of view, monitoring the error log of an application can lead to detecting attacks, programming and configuration errors.",
'expose_php' => "Knowing the exact PHP version - sometimes including patchlevel and operating system - is a good start for automated attack tools. Best not to share this information.",
'max_execution_time' => "In order to prevent denial-of-service attacks where an attacker tries to keep your server's CPU busy, this value should be set to the lowest possible value, e.g. 30 (seconds).",
'max_input_time' => "It may be useful to limit the time a script is allowed to parse input. This should be decided on a per application basis.",
'max_input_nesting_level' => "Deep input nesting is only required in rare cases and may trigger unexpected ressource limits.",
'memory_limit' => "A high memory limit may easily lead to resource exhaustion and thus make your application vulnerable to denial-of-service attacks. This value should be set approximately 20% above an empirically gathered maximum memory requirement.",
'post_max_size' => "Setting the maximum allowed POST size to a high value may lead to denial-of-service from memory exhaustion. If your application does not need huge file uploads, consider setting this option to a lower value. Note: File uploads have to be covered by this setting as well.",
'post_max_size>memory_limit' => "post_max_size must be lower than memory_limit. Otherwise, a simple POST request will let PHP reach the configured memory limit and stop execution. Apart from denial-of-service an attacker may try to split a transaction, e.g. let PHP execute only a part of a program.",
'upload_max_filesize' => "This value should match the file size actually required.",
'max_file_uploads' => "This value should match the maximum number of simultaneous file uploads. (lower is better)",
'allow_url_fopen' => "Deactivate, if possible. Allowing URLs in fopen() can be a suprising side-effect for unexperienced developers. Even if deactivated, it is still possible to receive content from URLs, e.g. with curl.",
'allow_url_include' => "This flag should remain deactivated for security reasons.",
'magic_quotes' => "This option should be deactivated. Instead, user input should be escaped properly and handled in a secure way when building database queries. The use of magic quotes or similar behaviour is highly discouraged. Current PHP versions do not support this feature anymore.",
'enable_dl' => "Deactivate this option to prevent arbitrary code to be loaded during runtime (see dl()).",
'disable_functions' => "Potentially dangerous and unused functions should be deactivated, e.g. system().",
'disable_classes' => "Potentially dangerous and unused classes should be deactivated.",
'request_order' => "It is recommended to use GP to register GET and POST with REQUEST.",
'variables_order' => "Changing this setting is usually not necessary; however, the ENV variables are rarely used.",
'auto_globals_jit' => "Unless access to these variables is done through variable variables this option can remain activated.",
'register_globals' => "This relic from the past is not available in current PHP versions. If it is there anyway, keep it deactivated! Please.",
'file_uploads' => "If an application does not require HTTP file uploads, this setting should be deactivated.",
'filter.default' => "This should only be set if the application is specifically designed to handle filtered values. Usually it is considered bad practice to filter all user input in one place. Instead, each user input should be validated and then escaped/encoded according to its context.",
'open_basedir' => "Usually it is a good idea to restrict file system access to directories related to the application, e.g. the document root.",
'session.save_path' => "This path should be set to a directory unique to your application, but outside the document root, e.g. /opt/php_sessions/application_1. If this application is the only application on your server, or a custom storage mechanism for sessions has been implemented, or you don't need sessions at all, then the default should be fine.",
'session.cookie_httponly' => "This option controls if cookies are tagged with httpOnly which makes them accessible by HTTP only and not by the JavaScript. httpOnly cookies are supported by all major browser vendors and therefore can be instrumental in minimising the danger of session hijacking. It should either be activated here or in your application with session_set_cookie_params().",
'session.cookie_secure' => "This option controls if cookies are tagged as secure and should therefore be sent over SSL encrypted connections only. It should either be activated here or in your application with session_set_cookie_params().",
'session.cookie_lifetime' => "Not limiting the cookie lifetime increases the chance for an attacker to be able to steal the session cookie. Depending on your application, this should be set to a reasonable value here or with session_set_cookie_params().",
'session.cookie_samesite' => "Set SameSite to `Lax` or `Strict` to better protect against CSRF.",
'session.referer_check' => "PHP can invalidate a session ID if the submitted HTTP Referer does not contain a configured substring. The Referer can be set by a custom client/browser or plugins (e.g. Flash, Java). However it may prevent some cases of CSRF attacks, where the attacker can not control the client's Referer.",
'session.use_strict_mode' => "If activated, PHP will regenerate unknown session IDs. This effectively counteracts session fixation attacks.",
'session.use_cookies' => "If activated, PHP will store the session ID in a cookie on the client side. This is recommended.",
'session.use_only_cookies' => "PHP will send the session ID only via cookie to the client, not e.g. in the URL. Please activate.",
'session.name' => "Your session name is boring. Why not change it to something more suitable for your application?",
'session.use_trans_sid' => "Allowing the user to choose to store the session ID within the URL makes session hijacking a realistic security risk. URLs are logged in logfiles and can easily be copied by the user or by scripts. This option must be disabled.",
'always_populate_raw_post_data' => "In a shared hosting environment it should not be the default to let the unexperienced user parse raw POST data themselves. Otherwise, this option should only be used, if accessing the raw POST data is actually required.",
'arg_separator' => "The usual argument separator for parsing a query string is '&'. Standard libraries handling URLs will possibly not be compatible with custom separators, which may lead to unexpected behaviour. Also, additional parsers - such as a WAF or logfile analyzers - have to be configured accordingly.",
'assert.active' => "assert() evaluates code just like eval(). Unless it is actually required in a live environment, which is almost certainly not the case, this feature should be deactivated.",
'assert.callback' => "Failed assertions call a user function. This can be useful for test environments, but most certainly should not be used in production. An attacker may try to override this value to call a different function. If possible, deactivate assert altogether.",
'zend.assertions' => "assert() in able to evaluate code. Please deactivate this feature for production environments by setting zend.assertions=-1.",
'auto_append_file' => "PHP is automatically executing an extra script for each request. An attacker may have planted it there. If this is unexpected, deactivate.",
'cli.pager' => "PHP executes an extra script to process CLI output. An attacker may have planted it there. If this is unexpected, deactivate.",
'cli.prompt' => "An overlong CLI prompt may indicate incorrect configuration. Please check manually.",
'curl.cainfo' => "Incorrect configuration of this option may prevent cURL from validating a certificate.",
'docref_*' => "This setting may reveal internal ressources, e.g. internal server names. Setting docref_root or docref_ext implies HTML output of error messages, which is bad practice for live environments and may reveal useful information to an attacker as well.",
'default_charset=empty' => "Not setting the default charset can make your application vulnerable to injection attacks based on incorrect interpretation of your data's character encoding. If unsure, set this to 'UTF-8'. HTML output should contain the same value, e.g. <meta charset=\"utf-8\"/>. Also, your webserver can be configured accordingly, e.g. 'AddDefaultCharset UTF-8' for Apache2.",
'default_charset=typo' => "Change this to 'UTF-8' immediately.",
'default_charset=iso-8859' => "There is nothing wrong with ISO8859 charsets. However, the hipster way to deliver content tries not to discriminate and allows multibyte characters, e.g. Klingon unicode characters, too. Some browsers may even be so bold as to use a multibyte encoding anyway, regardless of this setting.",
'default_charset=custom' => "A custom charset is perfectly fine as long as your entire chain of character encoding knows about this. E.g. the application, database connections, PHP, the webserver, ... all have the same encoding or know how to convert appropriately. In particular calls to escaping functions such as htmlentities() and htmlspecialchars() must be called with the correct encoding.",
'default_mimetype' => "Please set a default mime type, e.g. 'text/html' or 'text/plain'. The mime type should always reflect the actual content. But it is a good idea to define a fallback here anyway. An incorrectly stated mime type can lead to injection attacks, e.g. using 'text/html' with JSON data may lead to XSS.",
'default_socket_timeout' => "By delaying the process to establish a socket connection, an attacker may be able to do a denial-of-service (DoS) attack. Please set this value to a reasonably small value for your environment, e.g. 10.",
'doc_root=empty' => "The PHP documentation strongly recommends to set this value when using CGI and cgi.force_redirect is off.",
'error_append_string' => "PHP adds additional output to error messages. If planted by an attacker, this string may contain script content and lead to XSS. Please check.",
'error_reporting' => "PHP error reporting can provide useful information about misconfiguration and programming errors, as well as possible attacks. Please consider setting this value.",
'extension_dir' => "An attacker may try to leave a PHP extension in the extensions directory. This directory should not be writable and the web user must not be able to change file permissions",
'exit_on_timeout' => "In Apache 1 mod_php may run into an 'inconsistent state', which is always bad. If possible, turn this feature on.",
'filter.default' => "Using a default filter or sanitizer for all PHP input is generally not considered good practice. Instead, each input should be handled by the application individually, e.g. validated, sanitized, filtered, then escaped or encoded. The default value is 'unsafe_raw'.",
'highlight.*' => "Your color value is suspicious. An attacker may have managed to inject something here. Please check manually.",
'iconv.internal_encoding!=empty' => "Starting with PHP 5.6 this value is derived from 'default_charset' and can safely be left empty.",
'asp_tags' => "ASP-Style tags are quite uncommon for PHP. If you don't actually require your PHP-code to start with <%, this option should be deactivated.",
'ldap.max_links' => "In order to prevent denial-of-service attacks this option should be set to the lowest number possible. If LDAP is not needed at all, the LDAP extension should not be loaded in the first place.",
'log_errors_max_len' => "An attacker may try to exhaust ressources such as disk space and RAM. If possible, limit this value to a reasonable minimum, e.g. 1024.",
'mail.add_x_header' => "Information Disclosure: When sending e-mails, a header 'X-PHP-Originating-Script' contains the filename of the originating script. In production this feature should be disabled.",
'intl.default_locale' => "The ICU default locale is not set explicitly, which forces the usage of ICU's default locale.",
'intl.error_level' => "An error induced by an attacker can change the program's control flow and may lead to unexpected side-effects.",
'intl.use_exceptions' => "If unhandled, exceptions may have unexpected side-effects. Please make sure potential exceptions are handled correctly when calling intl-functions.",
'last_modified' => "The Last-Modified header will be sent for PHP scripts. This is a minor information disclosure.",
'zend.multibyte' => "This is highly unusual. If possible, try to avoid multibyte encodings in source files - like SJIS, BIG5 - and use UTF-8 instead. Most XSS and other injection protections are not aware of multibyte encodings or can easily be confused. In order to use UTF-8, this option can safely be deactivated.",
'max_input_vars' => "This setting may be incorrect. Unless your application actually needs an incredible number of input variables, please set this to a reasonable value, e.g. 1000.",
'phar.readonly' => "The creation and modification of phar files should be disabled in production.",
'phar.require_hash' => "Signature validation for phar archives should be enforced. In particular having OpenSSL-type Phar signatures can significantly increase security.",
'ffi.enable' => "From the PHP documentation: 'FFI is dangerous, since it allows to interface with the system on a very low level. The FFI extension should only be used by developers having a working knowledge of C and the used C APIs.'. Also, this extension is EXPERIMENTAL.",
'runkit.internal_override' => "Runkit can modify/rename/remove internal functions. As most security features rely on internal functions, activating this setting renders all security features useless. In fact, it is best to remove the runkit extension altogether."
];
// php.ini checks
foreach (ini_get_all(null, false) as $k => $v) {
$meta = tdesc("php.ini / $k");
$result = NULL;
$reason = NULL;
$recommendation = NULL;
if (isset($helptext[$k])) { $recommendation = $helptext[$k]; }
$ignore = 0;
switch ($k) {
case 'display_errors':
if (is_on($v)) {
[$result, $reason] = [TEST_MEDIUM, "display_errors is on."];
}
break;
case 'display_startup_errors':
if (is_on($v)) {
[$result, $reason] = [TEST_MEDIUM, "display_startup_errors is on."];
$recommendation = $helptext['display_errors'];
}
break;
case 'log_errors':
if (!is_on($v)) {
[$result, $reason] = [TEST_LOW, "You are not logging errors."];
}
break;
case 'expose_php':
if (is_on($v)) {
[$result, $reason] = [TEST_LOW, "PHP is exposed by HTTP headers."];
}
break;
case 'max_execution_time':
if (intval($v) == 0) {
[$result, $reason] = [TEST_MEDIUM, "Execution time is not limited."];
} elseif (intval($v) >= 300) {
[$result, $reason] = [TEST_LOW, "Execution time limit is rather high."];
}
break;
case 'max_input_time':
if ($v == "-1") {
[$result, $reason] = [TEST_MAYBE, "Input parsing time not limited."];
}
break;
case 'max_input_nesting_level':
if (intval($v) > 128) {
[$result, $reason] = [TEST_MEDIUM, "Input nesting level extremely high."];
} elseif (intval($v) > 64) {
[$result, $reason] = [TEST_MAYBE, "Input nesting level higher than usual."];
}
break;
case 'max_input_vars':
if (intval($v) > 5000) {
[$result, $reason] = [TEST_MEDIUM, "Extremely high number."];
} elseif (intval($v) > 1000) {
[$result, $reason] = [TEST_MAYBE, "Higher number than usual."];
}
break;
case 'memory_limit':
$v = ini_atol($v);
if ($v < 0) {
[$result, $reason] = [TEST_HIGH, "Memory limit deactivated."];
} elseif (ini_atol($v) >= 128*1024*1024) { // default value
[$result, $reason] = [TEST_MAYBE, "Memory limit is 128M or more."];
}
break;
case 'post_max_size':
$tmp = ini_atol(ini_get('memory_limit'));
$v = ini_atol($v);
if ($tmp < 0) {
if ($v >= ini_atol('2G')) {
[$result, $reason] = [TEST_MAYBE, "post_max_size is >= 2G."];
}
break;
}
if ($v > $tmp) {
[$result, $reason] = [TEST_HIGH, "post_max_size is greater than memory_limit."];
$recommendation = $helptext['post_max_size>memory_limit'];
}
break;
case 'upload_max_filesize':
if ($v === "2M") {
[$result, $reason] = [TEST_COMMENT, "default value."];
} elseif (ini_atol($v) >= ini_atol("2G")) {
[$result, $reason] = [TEST_MAYBE, "value is rather high."];
}
break;
case 'max_file_uploads':
if (intval($v) > 30) {
[$result, $reason] = [TEST_MAYBE, "value is rather high."];
}
break;
case 'allow_url_fopen':
if (is_on($v)) {
[$result, $reason] = [TEST_HIGH, "fopen() is allowed to open URLs."];
}
break;
case 'allow_url_include':
if (is_on($v)) {
[$result, $reason] = [TEST_HIGH, "include/require() can include URLs."];
}
break;
case 'magic_quotes_gpc':
if (PHP_MAJOR_VERSION < 8 && get_magic_quotes_gpc()) {
[$result, $reason] = [TEST_HIGH, "magic quotes activated."];
$recommendation = $helptext['magic_quotes'];
}
break;
case 'magic_quotes_runtime':
if (PHP_MAJOR_VERSION < 8 && get_magic_quotes_runtime()) {
[$result, $reason] = [TEST_HIGH, "magic quotes activated."];
$recommendation = $helptext['magic_quotes'];
}
break;
case 'magic_quotes_sybase':
if (is_on($v)) {
[$result, $reason] = [TEST_HIGH, "magic quotes activated."];
$recommendation = $helptext['magic_quotes'];
}
break;
case 'enable_dl':
if (is_on($v)) {
[$result, $reason] = [TEST_HIGH, "PHP can load extensions during runtime."];
}
break;
case 'disable_functions':
$v = ini_list($v);
if (!$v) {
[$result, $reason] = [TEST_MEDIUM, "no functions disabled."];
}
break;
case 'disable_classes':
$v = ini_list($v);
if (!$v) {
[$result, $reason] = [TEST_MEDIUM, "no classes disabled."];
}
break;
case 'request_order':
if ($v === null || $v === "") { $v = ini_get("variables_order"); }
$v = strtoupper((string)$v);
if ($v === "GP") {break;} // ok
if (strstr($v, 'C') !== FALSE) {
[$result, $reason] = [TEST_MAYBE, "cookie values in \$_REQUEST."];
}
if (strstr(str_replace('C', $v, ''), 'PG') !== FALSE) {
[$result, $reason] = [TEST_LOW, "GET overrides POST in \$_REQUEST."];
}
break;
case 'variables_order':
if ($v === "GPCS") { break; }
if ($v !== "EGPCS") {
[$result, $reason] = [TEST_COMMENT, "custom variables_order."];
} else {
$result = TEST_OK; // result set includes default helptext
}
break;
case 'auto_globals_jit':
$result = TEST_OK;
break;
case 'register_globals':
if ($v !== "" && $v !== "0") {
[$result, $reason] = [TEST_CRITICAL, "register_globals is on."];
}
break;
case 'file_uploads':
if ($v == "1") {
[$result, $reason] = [TEST_MAYBE, "file uploads are allowed."];
}
break;
case 'filter.default':
if ($v !== "unsafe_raw") {
[$result, $reason] = [TEST_MAYBE, "default input filter set."];
}
break;
case 'open_basedir':
if ($v == "") {
[$result, $reason] = [TEST_LOW, "open_basedir not set."];
}
break;
case 'session.save_path':
if ($v == "") {
[$result, $reason] = [TEST_MAYBE, "session save path not set."];
}
break;
case 'session.cookie_httponly':
if (!is_on($v)) {
[$result, $reason] = [TEST_MAYBE, "no implicit httpOnly-flag for session cookie."];
}
break;
case 'session.cookie_secure':
if (!is_on($v)) {
[$result, $reason] = [TEST_MAYBE, "no implicit secure-flag for session cookie."];
}
break;
case 'session.cookie_lifetime':
if (!is_on($v)) {
[$result, $reason] = [TEST_MAYBE, "no implicit lifetime for session cookie."];
}
break;
case 'session.cookie_samesite':
if ($v == "") {
[$result, $reason] = [TEST_MAYBE, "SameSite is unset."];
} elseif ($v !== "Strict") {
[$result, $reason] = [TEST_COMMENT, "SameSite is not set to `Strict`. If cross-site GET requests to your site are unlikely, this should be set to `Strict`."];
}
break;
case 'session.referer_check':
if ($v === "") {
[$result, $reason] = [TEST_COMMENT, "referer check not activated."];
}
break;
case 'session.use_strict_mode':
if (!is_on($v)) {
[$result, $reason] = [TEST_MEDIUM, "strict mode not activated."];
}
break;
case 'session.use_cookies':
if (!is_on($v)) {
[$result, $reason] = [TEST_HIGH, "Session ID not stored in cookie."];
}
break;
case 'session.use_only_cookies':
if (!is_on($v)) {
[$result, $reason] = [TEST_HIGH, "Session ID not limited to cookie."];
}
break;
case 'session.name':
if ($v == "PHPSESSID") {
[$result, $reason] = [TEST_COMMENT, "default session name."];
}
break;
case 'session.use_trans_sid':
if (is_on($v)) {
[$result, $reason] = [TEST_HIGH, "transparent SID active."];
}
break;
case 'always_populate_raw_post_data':
if (is_on($v)) {
[$result, $reason] = [TEST_COMMENT, "HTTP_RAW_POST_DATA is available."];
}
break;
case 'arg_separator.input':
case 'arg_separator.output':
if ($v !== "&") {
[$result, $reason] = [TEST_MAYBE, "unusual arg separator."];
$recommendation = $helptext['arg_separator'];
}
break;
case 'assert.active':
if (is_on($v)) {
[$result, $reason] = [TEST_MEDIUM, "assert is active."];
}
break;
case 'assert.callback':
if (ini_get('assert.active') && $v !== "" && $v !== null) {
[$result, $reason] = [TEST_MEDIUM, "assert callback set."];
}
break;
case 'zend.assertions':
if (intval($v) > 0) {
[$result, $reason] = [TEST_MEDIUM, "assert is active."];
}
break;
case 'auto_append_file':
case 'auto_prepend_file':
if ($v !== NULL && $v !== "") {
[$result, $reason] = [TEST_MAYBE, "$k is set."];
$recommendation = $helptext['auto_append_file'];
}
break;
case 'cli.pager':
if ($v !== NULL && $v !== "") {
[$result, $reason] = [TEST_MAYBE, "CLI pager set."];
}
break;
case 'cli.prompt':
if ($v !== NULL && strlen($v) > 32) {
[$result, $reason] = [TEST_MAYBE, "CLI prompt is rather long (>32)."];
}
break;
case 'curl.cainfo':
if ($v !== "") {
if (substr($v, 0, 1) !== DIRECTORY_SEPARATOR || $cfg['is_win'] && substr($v, 1, 2) !== ":" . DIRECTORY_SEPARATOR) {
[$result, $reason] = [TEST_LOW, "CURLOPT_CAINFO must be an absolute path."];
} elseif (!is_readable($v)) {
[$result, $reason] = [TEST_LOW, "CURLOPT_CAINFO is set but not readable."];
}
}
break;
case 'docref_root':
case 'docref_ext':
if ($v !== NULL && $v !== "") {
[$result, $reason] = [TEST_LOW, "docref is set."];
$recommendation = $helptext['docref_*'];
}
break;
case 'default_charset':
if ($v == "") {
[$result, $reason] = [TEST_HIGH, "default charset not explicitly set."];
$recommendation = $helptext['default_charset=empty'];
} elseif (stripos($v, "iso-8859") === 0) {
[$result, $reason] = [TEST_MAYBE, "charset without multibyte support."];
$recommendation = $helptext['default_charset=iso-8859'];
} elseif (strtolower($v) == "utf8") {
[$result, $reason] = [TEST_HIGH, "'UTF-8' misspelled (without dash)."];
$recommendation = $helptext['default_charset=typo'];
} elseif (strtolower($v) == "utf-8") {
// ok.
} else {
[$result, $reason] = [TEST_COMMENT, "custom charset."];
$recommendation = $helptext['default_charset=custom'];
}
break;
case 'default_mimetype':
if ($v == "") {
[$result, $reason] = [TEST_HIGH, "default mimetype not set."];
}
break;
case 'default_socket_timeout':
if (intval($v) > 60) {
[$result, $reason] = [TEST_LOW, "default socket timeout rather big."];
}
break;
case 'doc_root':
if (!$cfg['is_cgi']) {
[$result, $reason] = [TEST_SKIPPED, "no CGI environment."];
break;
}
if (ini_get('cgi.force_redirect')) {
[$result, $reason] = [TEST_SKIPPED, "cgi.force_redirect is on instead."];
break;
}
if ($v == "") {
[$result, $reason] = [TEST_MEDIUM, "doc_root not set."];
$recommendation = $helptext['doc_root=empty'];
}
break;
case 'error_prepend_string':
case 'error_append_string':
if ($v !== NULL && $v !== "") {
[$result, $reason] = [TEST_MAYBE, "$k is set."];
$recommendation = $helptext['error_append_string'];
}
break;
case 'error_reporting':
if (error_reporting() == 0) {
[$result, $reason] = [TEST_LOW, "error reporting is off."];
}
break;
case 'extension_dir':
if ($v !== NULL && $v !== "") {
if (realpath($v) === FALSE) {
[$result, $reason] = [TEST_SKIPPED, "path is invalid or not accessible."];
} elseif (is_writable($v) || is_writable_or_chmodable($v)) {
[$result, $reason] = [TEST_HIGH, "path is writable or chmod-able."];
}
}
break;
case 'exit_on_timeout':
if (!isset($_SERVER["SERVER_SOFTWARE"]) || strncmp($_SERVER["SERVER_SOFTWARE"], "Apache/1", strlen("Apache/1")) !== 0) {
[$result, $reason] = [TEST_SKIPPED, "only relevant for Apache 1."];
} elseif (!is_on($v)) {
[$result, $reason] = [TEST_LOW, "not enabled."];
}
break;
case 'filter.default':
if ($v !== "unsafe_raw") {
[$result, $reason] = [TEST_MAYBE, "global input filter is set."];
}
break;
case 'highlight.bg':
case 'highlight.comment':
case 'highlight.default':
case 'highlight.html':
case 'highlight.keyword':
case 'highlight.string':
if (extension_loaded('pcre') && preg_match('/[^#a-z0-9]/i', $v) || strlen($v) > 7 || strpos($v, '"') !== FALSE) {
[$result, $reason] = [TEST_MEDIUM, "suspicious color value."];
$recommendation = $helptext['highlight.*'];
}
break;
case 'iconv.internal_encoding':
case 'iconv.input_encoding':
case 'iconv.output_encoding':
if (PHP_MAJOR_VERSION > 5 || PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 6) {
if ($v !== "") {
[$result, $reason] = [TEST_COMMENT, "not empty."];
$recommendation = $helptext['iconv.internal_encoding!=empty'];
}
} else {
[$result, $reason] = [TEST_SKIPPED, "not PHP >=5.6"];
}
break;
case 'asp_tags':
if (is_on($v)) {
[$result, $reason] = [TEST_MAYBE, "ASP-style tags enabled."];
}
break;
case 'ldap.max_links':
if (intval($v) == -1) {
[$result, $reason] = [TEST_MAYBE, "Number of LDAP connections not limited."];
} else if (intval($v) > 5) {
[$result, $reason] = [TEST_MAYBE, "More than 5 LDAP connections allowed."];
}
break;
case 'log_errors_max_len':
$v = ini_atol($v);
if ($v == 0 || $v > 4096) {
[$result, $reason] = [TEST_MEDIUM, "Value rather big or not limited."];
}
break;
case 'mail.add_x_header':
if ($v) {
[$result, $reason] = [TEST_MEDIUM, "Filename exposed."];
}
break;
case 'mail.force_extra_parameters':
if ($v) {
[$result, $reason] = [TEST_COMMENT, "not empty."];
$recommendation = "just FYI.";
}
break;
case 'intl.default_locale':
if ($v == "") {
[$result, $reason] = [TEST_COMMENT, "ICU default locale not set."];
}
break;
case 'intl.error_level':
if (intval($v) & E_ERROR) {
[$result, $reason] = [TEST_MAYBE, "ICU functions fail with error."];
}
break;
case 'intl.use_exceptions':
if (is_on($v)) {
[$result, $reason] = [TEST_MAYBE, "intl functions throw exceptions."];
}
break;
case 'last_modified':
if (is_on($v)) {
[$result, $reason] = [TEST_LOW, "is set."];
}
break;
case 'zend.multibyte':
if (is_on($v)) {
[$result, $reason] = [TEST_HIGH, "Multibyte encodings are active."];
}
break;
case 'runkit.internal_override':
if (is_on($v)) {
[$result, $reason] = [TEST_CRITICAL, "Internal functions override is enabled"];
}
break;
case 'phar.readonly':
if (!is_on($v)) {
[$result, $reason] = [TEST_LOW, "Phar files aren't readonly."];
}
break;
case 'phar.require_hash':
if (!is_on($v)) {
[$result, $reason] = [TEST_LOW, "Signature check for phar is disabled."];
}
break;
case 'ffi.enable':
if (is_on($v)){
[$result, $reason] = [TEST_HIGH, "FFI is enabled."];
}
/* ===== known, but extra check below. ===== */
case 'error_log':
case 'include_path':
case 'mail.log':
case 'upload_tmp_dir':
// silently ignore this option
$ignore = 1;
break;
/* ===== known, but probably not security relevant ===== */
case 'precision':
case 'assert.bail':
case 'assert.quiet_eval':
case 'assert.warning':
case 'assert.exception':
case 'auto_detect_line_endings':
case 'bcmath.scale':
case 'browscap':
case 'date.default_latitude':
case 'date.default_longitude':
case 'date.sunrise_zenith':
case 'date.sunset_zenith':
case 'date.timezone':
case 'dba.default_handler':
case 'enable_post_data_reading':
case 'engine': // can only be 1 here anyway.
case 'exif.decode_jis_intel':
case 'exif.decode_jis_motorola':
case 'exif.decode_unicode_intel':
case 'exif.decode_unicode_motorola':
case 'exif.encode_jis':
case 'exif.encode_unicode':
case 'filter.default_flags':
case 'from':
case 'gd.jpeg_ignore_warning':
case 'html_errors':
case 'ignore_repeated_errors':
case 'ignore_repeated_source':
case 'ignore_user_abort':
case 'implicit_flush':
case 'report_memleaks': // may be relevant, but only active in debug builds anyway
case 'session.auto_start':
case 'session.cache_expire':
case 'session.cache_limiter':
case 'short_open_tag':
case 'track_errors':
[$result, $reason] = [TEST_OK, "any value is ok"];
break;
/* ===== unknown / ignored ===== */
default:
[$result, $reason] = [TEST_UNKNOWN, "unknown / not checked."];
}
if ($ignore) { continue; }
if ($result === NULL) {
tres($meta, TEST_OK);
} elseif ($result === TEST_SKIPPED) {
tres($meta, $result, $reason);
} else {
tres($meta, $result, $reason, $recommendation);
}
}
}
test_all_ini_entries();
// --- other checks ---
// old version of this script?
function test_pcc_need_update()
{
global $cfg, $pcc_date, $pcc_version;
if (version_compare(PHP_VERSION, '5.1.0') >= 0) {
date_default_timezone_set("UTC"); // avoid incorrect timezone warnings in strtotime()
}
if (stripos($pcc_version, "-dev") !== FALSE || stripos($pcc_version, "-rc") !== FALSE) {
if (time() > strtotime($pcc_date) + (24*3600*90)) { $cfg['need_update'] = 1; }
} elseif (time() > strtotime($pcc_date) + (24*3600*270)) { $cfg['need_update'] = 1; }
}
test_pcc_need_update();
// old php version?
function test_old_php_version()
{
$meta = tdesc("PHP Version", "Checks whether your PHP version is unsupported");
if (version_compare(PHP_VERSION, '8.0') >= 0) {
tres($meta, TEST_OK, "PHP version = " . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION);
} elseif (version_compare(PHP_VERSION, '7.4') >= 0) {
tres($meta, TEST_HIGH, "PHP version is older than 8.0",
"PHP 7 is no longer officially maintained. PHP 7.4 support ended in Nov. 2022." .
"While your PHP version is not officially supported by the PHP group anymore, it may still be possible that some distributors maintain security backports. Please make sure your version receives security patches from other sources or upgrade PHP as soon as possible.");
} else {
tres($meta, TEST_CRITICAL, "PHP version is older than 7.4",
"Please upgrade PHP as soon as possible. " .
"Old versions of PHP are not maintained anymore and may contain security flaws.");
}
}
test_old_php_version();
// snuffleupagus installed?
function test_snuffleupagus_installed()
{
$meta = tdesc("Snuffleupagus", "Checks whether the Snuffleupagus extension is loaded");
if (extension_loaded("snuffleupagus")) {
tres($meta, TEST_OK);
} else if (PHP_MAJOR_VERSION < 7) {
tres($meta, TEST_SKIPPED, "Snuffleupagus isn't available for PHP < 7");
} else if (defined('HHVM_VERSION')) {
tres($meta, TEST_SKIPPED, "Snuffleupagus is not available for HHVM.");
} else {
tres($meta, TEST_MAYBE, "The Snuffleupagus extension is not loaded", "Snuffleupagus is an advanced protection system for PHP7+. It is designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. For more information see https://snuffleupagus.rtfd.io");
}
}
test_snuffleupagus_installed();
// logfile inside document root?
function test_log_in_document_root($inientry, $value_if_not_set=null)
{
global $cfg;
$inivalue = ini_get($inientry);
if ($inivalue === "" || $inivalue === false) {
$inivalue = $value_if_not_set;
}
$meta = tdesc("$inientry in document root", "Checks if $inientry path is in the current document root");
if ($cfg['is_cli']) { tres($meta, TEST_SKIPPED, "CLI"); }
elseif ($inivalue === null) { tres($meta, TEST_SKIPPED, "$inientry not set."); }
elseif ($inientry === 'error_log' && ini_get($inientry) === "syslog") { tres($meta, TEST_SKIPPED, "error_log to syslog."); }
elseif (!isset($_SERVER['DOCUMENT_ROOT'])) { tres($meta, TEST_SKIPPED, "DOCUMENT_ROOT not set."); }
else {
$log_realpath = realpath($inivalue);
$document_root_realpath = realpath($_SERVER['DOCUMENT_ROOT']);
if ($log_realpath === FALSE) { /* maybe new/nonexistent file? => use dirname instead */
$log_realpath = realpath(dirname($inivalue));
}
if ($log_realpath === FALSE) { tres($meta, TEST_SKIPPED, "$inientry invalid or relative path."); }
elseif ($document_root_realpath === FALSE) { tres($meta, TEST_SKIPPED, "DOCUMENT_ROOT invalid or relative path."); }
elseif (strncmp($log_realpath . DIRECTORY_SEPARATOR, $document_root_realpath . DIRECTORY_SEPARATOR, strlen($document_root_realpath)+1) === 0) {
tres($meta, TEST_HIGH, "$inientry in DOCUMENT_ROOT.", "The $inientry logfile is located inside the document root directory and may be accessible publicly. Logfiles should always point to a file outside the document root.");
} else { tres($meta, TEST_OK, "$inientry outside of DOCUMENT_ROOT."); }
}
}
test_log_in_document_root('error_log');
test_log_in_document_root('mail.log');
test_log_in_document_root('upload_tmp_dir', sys_get_temp_dir());
// writable document root?
function test_writable_document_root()
{
$meta = tdesc("Writable document root", "Checks if the current document root is writable");
if (!isset($_SERVER['DOCUMENT_ROOT'])) { tres($meta, TEST_SKIPPED, "DOCUMENT_ROOT not set."); }
elseif (is_writable($_SERVER['DOCUMENT_ROOT'])) {
tres($meta, TEST_HIGH, "document root is writable.", "Making the document root writable may give an attacker the advantage of persisting an exploit. It is probably best to restrict write access to the document root and its subdirectories. Temporary files your application may need to write can be safely stored outside the document root.");
} elseif (is_writable_or_chmodable($_SERVER['DOCUMENT_ROOT'])) {
tres($meta, TEST_MEDIUM, "document root is potentially writable.", "The document root's access permissions prevent write access, but the current user has the right to change these permissions. Please change the directory's owner.");
} else {
tres($meta, TEST_OK, "document root not writable.");
}
}
test_writable_document_root();
// include_path writable?
function test_include_path_writable()
{
$meta = tdesc("Writable include_path", "Checks if at least one directory listed in the include_path is writable");
$result = 0;
$checked = 0;
foreach (explode(':', ini_get('include_path')) as $dir) {
if ($dir === "") { continue; }
$checked++;
$absdir = realpath($dir);
if ($absdir === FALSE) { continue; } // path does not exist? -> ignore
if (is_writable($absdir)) {
tres($meta, TEST_HIGH, "The directory '" . $dir . "' is writable.", "An attacker may try to place a file here.");
$result = 1;
} else if (is_writable_or_chmodable($absdir)) {
tres($meta, TEST_HIGH, "The directory '" . $dir . "' is potentially writable.", "The current user has the right to change its permissions.");
$result = 1;