Do you use, or allow PHP "register_globals"?

[SoftDux]

Hi all,

Some of our client's websites were hacked, or rather cracked, and defaced in the past few weeks. And while it's no fun to recover the website and attempt to secure them, I have run into a few "obstacles" on the cPanel server.

We have updated all the software to the latest and applied a few extra security measures to the server. But from what I gather, the crackers used SQL injection, or other weak scripting methods to get into the websites. No server security was compromised. So, I though I would harden PHP even more, and noticed that magic_quotes is enabled.

Apart from the fact that PHP 5.3 & PHP 6 won't support magic_quotes, what other reason would there be to still run it? The server is a shared hosting server with approx 400 accounts on it, running various scripts from Joomla! to SMF, to phpBB, vBulletin, WHMCS, Drupal, custom websites, OSCommerce, phplist, etc (most of the OSS scripts that can be installed from Fantastico or Softacoulus).


Does anyone know of any problems I could run into if I disable magic_quotes altogether?

[Spiral]

Be careful, there are several different types of "magic_quotes" and some you actually do want enabled while others you do not.

Now regarding security hardening, I can help you a great deal with that.

[SoftDux]

well, the question isn't really as much about security, but more about usability. The moment you improve security, you tend to break functionality and users get upset about it.

The fact remains though, that magic_quotes ( I see now that I named the thread incorrectly) will be discontinued on PHP 5.3, so whether I disable it now, or it gets disabled later won't really matter much. After all, it's a purpose was to secure "lazy code" and as such does give a sense of false security, although it does work great.

BUT, how much damage will it cause if I disable it altogether?

[Spiral]

well, the question isn't really as much about security, but more about usability. The moment you improve security, you tend to break functionality and users get upset about it.

To a certain extent that is true but having extremely robust security doesn't necessarily mean killing usability. Those are not mutually exclusive and setting up extreme security with minimal user and application usability impact is precisely my specific area of expertise!

Regarding your question about magic_quotes, there are several different types of magic_quotes and not all of them necessarily need be disabled. This is also not as likely the attack point unless your server is configured very loosely with little to no security in the first place. In the larger scheme, it's a relatively small issue anyway.

Aside from paying closer attention to the PHP configuration line by line and installing measures to prevent user overrides, I would also consider installing both ModSecurity w/ GotRoot ruleset and SuHoSin along with the hardening PHP patch which will help protect you from SQL injection and programming error exploits, and other vulnerabilities. ModSecurity and SuHosin can be installed from EasyApache but you will need to go into their
configurations afterwards to change the ruleset in the case of ModSecurity and optimize SuHosin as well.

If you would like me to review your server to at the very least show you the areas where you could focus on improvement, I would certainly be glad to do that for you no problem.