Securing php with mod_security

Wednesday, 6 August 2008 at 11:06 UTC Leave a comment

Learning from Facebook: Preventing PHP Leakage

There was in 2007 the Facebook code leak. PHP has always been notorious for sometimes not processing requests poorly and sending back the source code for pages to the client. Because of the way mod_php works with apache, if mod_php fails in intercepting and processing the request, then apache will just serve it back to the client as an ordinary text file. Lets touch on a few solutions to preventing PHP code from leaking:

Use mod_security to filter output and prevent leakage

is so damn good that it should be included in apache by default (and there should be some default rules in the default conf files). You can write mod_security rules that will detect if the output is PHP source code, and then prevent it from hitting the wire, instead giving the user an error page. You can also detect other information leakage, and prevent it from escaping. When writing a rule to detect if there is PHP in the output, you can do a regexp against the PHP header tags (eg. ‘< ?php’ and ‘?>‘) or include a special token in your PHP that identifies it as source code (eg. have the comment /* THIS_IS_PHP_SOURCE */ at the top of each PHP page, and if mod_security sees that in the output, kill the response). Here is a simple sample mod_security rule that will filter output:

SecFilterOutput On
SecFilterSelective OUTPUT "<?php" log,deny

For more on mod_security (essential!), see this onlamp article (old but a good intro)

Code should live outside of the web root

You should keep all logic and sensitive code outside of the web root. You can then include the logic files using the include() function. You should already be doing this with any files that store database information or passwords, but you could take this to an extreme and have only a single index.php inside your webroot, which will include a fileoutside of the webroot where everything actually happens, eg:



Change the default file type

By default, Apache will treat files as text/plain – meaning that if the extension of a file doesn’t match a handler (eg. .php files processed by mod_php), then it will send it back as plain text. If you accidently change the extension of a file type, or if an attacker somehow forces an alternate extension, they can retrieve the plain text content. To prevent this, with PHP apps you may want all files to be treated as PHP (and then have certain types handled as plain text). Modify the following directive in http.conf:


DefaultType application/x-httpd-php

Deny all outside of the webroot

Assuming your webroot is ‘www’, you want every other directory and file to note be served. Common sense:

http.conf: (or .htaccess)

<directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None

<directory /www>
Order Allow,Deny
Allow from all


Entry filed under: programming. Tags: , .

Symfony 1.1 Admin Generator Install Cookbook at Ubuntu symfony upgrade to 1.1.1 failed

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


%d bloggers like this: