PHP Security Audit Script

[danlefree]

It did not appear as though anything quite like it existed, so I threw together a PHP security audit script.

Uploaded to your webserver, the script will check known PHP vulnerabilities and provide some general recommendations for securing your PHP installation.

It's still a bit rough / paranoid, though I plan to add vulnerability-specific recommendations and some filters to determine the depth of vulnerability checking in the next revision.

Informed PHP security suggestions (and general usability suggestions) welcomed.

[kgun]

Thank you. The code is downloaded. I will test it when I have free time.

Some fast observations / questions:

1. Why do you not use the recommended PHP documentation? Don't do as I do. Do as I say.
2. Is your file / functions dependent on server configuration, php.ini (that I can not use on my shared server) versus .htaccess?
3. Can it be used on all PHP installations?
4. If the question is no to one of 2 and 3, you should comment it in your code.

[danlefree]

Quote:

Originally Posted by kgun

Why do you not use the recommended PHP documentation? Don't do as I do. Do as I say.

I provide links to the PHP documentation where appropriate (in recommending configuration changes) and I researched the documentation extensively to determine potentially-dangerous functions and configurations.

It is also worth noting that PHP 6.0 does not support "safe mode" (reference), so I have included all functions which safe mode has historically restricted within the script.

Quote:

Originally Posted by kgun

Is your file / functions dependent on server configuration, php.ini (that I can not use on my shared server) versus .htaccess?

The script will parse all loaded PHP configuration directives (whether PHP_INI_ALL, PHP_INI_PERDIR, or PHP_INI_SYSTEM).

Apache override files may load additional directives - those directives will be evaluated as they occur (I am not aware of a good way to distinguish between directive evaluation from within the script, though I will take into account the options which shared hosting users may have if Apache's AllowOverride setting is enabled and PHP is compiled as an Apache module).

Quote:

Originally Posted by kgun

Can it be used on all PHP installations?

The audit script may be used with any webserver installation - while it will also run under a CLI installation there really isn't much of a need (if you're running PHP-CLI it is likely that you are primarily concerned with functionality over security).


Thank you for the preliminary suggestions - I'll take a look at adding some additional instructions to the script (and please do let me know what you think after you've had a chance to run it).

[kgun]

Ran it on one of my websites. It seems like an excellent tool. You should market it, write a book around it and develop it.

Again thank you very much.

[danlefree]

Quote:

Originally Posted by kgun

Ran it on one of my websites. It seems like an excellent tool. You should market it, write a book around it and develop it.

I think I'll give that a shot...

PHP-Security-Audit.com is now online with a few updates to the script

[clonfran]

Thanks so much for your hard work. I have always had concerns about my websites security and have wished for an easy tool to check things. I agree that you should market this tool. It looks like a winner.