How to use PhpSecInfo to check php configuration vulnerability

-----

How to use PhpSecInfo to check php configuration vulnerability

INTRODUCTION

PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Visit http://phpsec.org/projects/phpsecinfo/index.html for more information

STEPS

1) Download the phpsecinfo.zip here.

2) Extract the folder phpsecinfo-20070406 and copy it into htdocs folder.

3) While Apache server is running, browse http://localhost/phpsecinfo 

3.1) Some of the reported items include:

• allow_url_fopen
• display_errors
• expose_php
• file_uploads
• magic_quotes_gpc
• memory_limit
• open_basedir
• post_max_size
• register_globals
• upload_max_filesize

For you to try: Click the links above to learn more about them.

REFERENCES:

1) http://phpsec.org/

2) http://www.madirish.net/?article=229 (hardening php.ini)

3) https://www.idontplaydarts.com/2011/02/hardening-and-securing-php-on-linux/ (PHP Auditor)

4) http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

5) http://websec.io/2013/12/06/Iniscan-Security-Best-Practices-phpini-Scanner.html

6) https://github.com/psecio/iniscan (command line ini scanner)