2

I have a website with a webhost company. I wrote a little php/mysql application - no file uploads, just administering data from the DB and creating pdf with TCPDF. There are folders like css and js but nothing else.

As I have limited control on the shared host, what would be the best practice to keep the files safe but executable.

So let's say:

index.php
connect_db.php
page1.php
unctions.php
IMAGES folder
CSS folder
TCPDF folder  
.htaccess
php.ini

Update:

the server is Linux server with PHP5.2 (optional 5.3) and I have unlimited webspace... The main reason that I am asking because I had an attack and someone managed to put some folder (nedbank) and some email form to phish personal details. Now I am building the whole site from scratch and would like to cover every aspect.

I also broke this question to more questions so people might use as well as a good practice resources.

TryHarder
  • 257
  • 4
  • 9
  • can you provide some more information, such as what web server is running and what you mean by safe. Safe from SQLi? Safe from deletion? Also, what type of shared host is it? I am assuming your storage space is only accessible to you - is that correct? – Rory Alsop Sep 14 '11 at 11:48
  • the question remains - what do you want to protect against? – chris Sep 15 '11 at 10:06
  • thanks for the comment. I don't want people/hackers be able to modify files or be able to create folders/files on the server and list directory. I thing this is what you can with permissions but I am a beginner so I might be wrong. – TryHarder Sep 15 '11 at 13:20
  • On a shared host you are vulnerable to the weakest component of the host. If the administrator of the shared host is lax, an attacker may compromise your site despite your protections. Is there a third party administrator? – this.josh Sep 16 '11 at 08:35
  • thanks for the reply, no I rent this host myself there is no one between Heartinternet and my company. – TryHarder Sep 16 '11 at 11:02

1 Answers1

8

Remember .php is executing in the PHP application stack on the server. It may have access to do more than just a user browsing the web site.

These are my suggestions (not a complete list) for PHP on Apache with limited server access. Hopefully this will get you started in the right direction...

Sanitise Database Calls

When reading and writing to a database sanitise your input especially if you are requiring input from a user. Also be wary about building SQL statements on the fly with user supplied input. Allowing a ‘ or a “ or any number of other character in input could allow a user to inject their own commands to say query the user table. If possible, restrict user input a-z,A-Z,0-9 as this is generally safe.

Here is good stuff that you should know about if you are going to write PHP for your web site.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Apache .htaccess files

Also, you can apply some good lock downs to your .htaccess file to prevent unwanted or miss use of you web site files.

http://httpd.apache.org/docs/2.2/howto/htaccess.html

You should limit file permissions to .htaccess were possible by setting something like 644 (rw-r--r--). But for an additional layer also put the following in your .htaccess file for the root of your website.

# Prevent access to .htaccess from web.
<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>

Limit Permissions

Limit permissions to what you really need. For example if you don't need execute on php.ini don't grant it (it should probably be set to 600). If you are unsure, start with a low permission level and work your way up. It won't take long to try and you will save yourself the headache latter.

Also be careful with execute on image files and files that obviously should not be executed. If someone can use images embedded in your pages to execute code they will if you let them.

If you require access to write a directory like uploads then block access to files that are not required. For example if you have a PDF or image upload directory .php files probably would not be required, so block it.

<FilesMatch "\.(htaccess|ini|sh|php)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

Better yet, block any files types except the files you need.

Order Allow,Deny
Deny from all

<FilesMatch "\.(jpg|gif)$">
  Order Deny,Allow
  Allow from all
</FilesMatch>

Disable Directory Browsing

If not required disable it. Giving people access to see what files you have may give them information to attack you better. You could disable it via a .htaccess file in the specifc directory or at the root of your site by using something like this.

# Disable directory browsing
Options All -Indexes

Third-party Scripts and Applications

If you use third-party scripts, includes or applications in your website make sure they are from a reputable source and keep them up-to-date. Join mailing lists if required to make sure you know when a new release comes out. A lot of automated attacks against web application using PHP and other scripting languages use well known vulnerabilities that have been previously fixed.

Bernie White
  • 2,866
  • 17
  • 18