PHPSecInfo

3 comments | Posted: 28 October 07 in General, by Yannick Lyn Fatt

The security of web applications and the environment in which they operate is always an important topic. Unfortunately, the fact still remains that security is often overlooked or left until the end of development. If you are a PHP programmer let’s change that and take a minute right now to check the security of your PHP environment. Lucky for you Ed Finkler, a web application developer and security expert, created a tool to give you a head start to doing just that.

PHPSecInfo is a tool for auditing the security of a PHP envrionment, presenting test results and suggestions in a format similar to the phpinfo() function.

PHPSecInfo should not be considered a replacement for secure development techniques. It also does not test the security of your application. If you would like more information on securing your application I’ve provided some links to some additional resources at the end of the article for you to check out.

Installing PHPSecInfo is a cinch. All that is required is that you have a server with PHP. Simply download the ZIP file and extract it’s contents to a folder on your webserver. Then just browse to that folder in your favourite web browser and you’re good to go. You should see something along the lines of the following:

PHPSecInfo Test Results PHPSecInfo Test Results PHPSecInfo Test Results PHPSecInfo Test Results PHPSecInfo Test Results PHPSecInfo Test Information

As you’ll probably realize, for tests that result in green it means your PHP environment has passed that particular test, those with yellow are notices and those in red are warnings. Of course all green would be ideal, however, some notices may be unavoidable depending on what the needs are for your applications. An example might be the file_uploads function. If this is enabled PHPSecInfo will give you a notice. It is recommended that if you are not going to upload files using PHP then you disable this function, however if you are going to use the function then this notice will remain.

One of the nice things about PHPSecInfo is that it doesn’t just point out the errors and then leave you hanging. Links are provided for each test with more information. This carries you to an external website that further explains the test, the security implications and gives recommendations on how to make your PHP environment more secure.

As I mentioned before PHPSecInfo isn’t the be all and end all of testing the security of your PHP environment/application. There are other things you can do, however that is out of the scope of this article. For now give PHPSecInfo a try and if you would like, feel free to contribute to the project by proposing new tests, offering suggestions/feedback or writing tests/documentation.

Additional Resources:

Discuss This Topic

  1. 1 Nathan Smith

    Thanks for the heads-up about this tool, Yannick. It’s good to see a “validator” of sorts, for server-side languages. Given the widespread use of PHP by companies and hobbyists alike, this looks like a valuable resource.

     
  2. 2 Derek Allard

    Man… Ed has been doing some nice work lately. Thanks for the heads up Yannick (time to go bug Ed about writing up a how-to for this for CodeIgiter).

     
  3. 3 Tom McCaul

    Rather than writing a how to, your need to write a PHPCodeIgniterSec, that this is riddled with bugs.

    Great tool btw, few changes to my server needed :)

     

Comments closed after 2 weeks.