I'm running a webserver with multiple virtualhosts running php CMS software.
My server got hit hard a couple of months ago when a serious vulnerability was discovered in one of these php systems and my setup was really unsecure. So now I'm trying to secure php, but my googling has made me really confused
->
about what is safe and what is not.
What I have done for now following a few recomendations is setting:
error_reporting, register_globals and magic_quotes OFF
disable_functions to system,exec,passthru,popen,escapeshellcmd,shell_exec
and each Virtualhost has php_admin_value open_basedir set to its web directory via httpd.conf
Now, in hope of someone wiser than me will read this and care to guide me, I ask.
Is this solution somewhere close to limiting each virtualhosts php access to it's directory?
Are there maybe some more functions I should consider adding to disable_functions directive?
Should I opt for running php as CGI with suExec? As I understand it (remember
), there is a considerable degrade in performance, and a bunch of new security considerations with that, and I'm not keen on opening any Pandora's boxes.
Any and all suggestions/questions are very much appreciated.
TIA, Eggert Johannesson