PhpSecInfo
scans the PhP installation for common security issues.
It is installed on carson in
~www/php/phpsecinfo-20070406/.
~www/php/PhpSecInfo is a link into
the PhpSecInfo release.
If you upgrade PHPSecInfo
The code is depressingly linux-centric. In phpsecinfo-date/PhpSecInfo/Test/Test.php, in the function getUnixId(), edit the line
$id_raw = exec('id');
to read
$id_raw = exec('/bin/id -a');
This prevents a couple of spurious errors due to differences between the Solaris & Linux id command line utils.
Additional, in both PhpSecInfo/Test/Core/upload_tmp_dir.php and PhpSecInfo/Test/Session/save_path.php, at around the line
if ($this->current_value
&& !preg_match("|".PHPSECINFO_TEST_COMMON_TMPDIR."/?|", $this->current_value)
comment out the call to preg_match(). They both incorrectly flags an upload dir that contains "/tmp".
How to run PhPSecInfo
- carson: https://chesstst.eecs.berkeley.edu:444/phpsecinfo/
- andrews: https://chess.eecs.berkeley.edu/phpsecinfo/
PhPSecInfo Warnings
- allow_url_fopen
- On Gigascale, Ignore - Needed by the GSRC site for pulling over streaming
video from gigavault.
On CHESS/TRUST/Embedded - Possibly Fix? - we
could try disabling it.
- file_uploads
- Ignore - Needed for file uploads.
- magic_quotes_gpc
- Possibly Fix? - I think PhpMysqlAdmin requires this? We
should consult with Allen.
- memory_limit
- Possibly Fix? - Maybe we can cut this down.
Note that if it is too small, then file uploads might
have problems??
- open_basdir
- Possibly Fix? - We could try setting this, though I had problems.
The file to edit is
/usr/local/lib/php.ini
and then (as root), run
/etc/init.d/apachectl graceful
and the exercise the website.
- post_max_size
- Ignore - we need 15Mb uploads for presentations.
- upload_tmp_dir
- Fix - we can make this directory owned and only
writable by the proper user (apache?)
- save_path
- Fix - we can make this directory owned and only
writable by the proper user (apache?)