Unsafe Configuration

php.unsafe_configuration

Severity

high

Resource

Misconfiguration

Language

Php

Description

Unsafe PHP configurations can result in security vulnerabilities.

Rationale

Misconfigured PHP environments can expose applications to various security vulnerabilities, such as code execution, information disclosure, and denial of service.

Here is a vulnerable code example:

<?php
  ini_set("error_reporting","E_ALL & ~E_NOTICE"); // FLAW
  ini_set("display_errors","On"); // FLAW
?>

In the code above, both error_reporting and display_errors are not used properly.

Also, this is configurable in both the php.ini and the .htaccess file for PHP:

[PHP]

error_reporting = E_ALL & ~E_NOTICE
display_errors = On

<IfModule mod_php5.c>
  php_value       error_reporting   "E_ALL & ~E_NOTICE"
  php_flag        display_errors On
</IfModule>

Remediation

By verifying that essential settings are enabled, disabled, or unset as required, and ensuring that error reporting levels do not leak sensitive information, the detector helps prevent security risks associated with misconfiguration.

Properly configured settings mitigate potential attack vectors and ensure a more secure PHP environment.

Configuration

The detector has the following configurable parameters:

settingsEnabled, that indicates the settings that must be enabled.
settingsDisabled, that indicates the settings that must be disabled.
settingsRequired, that indicates the settings that must exist.
disabledFunctions, that indicates the disabled functions that must be configured.
errorReporting, that indicates the error reporting allowed value.

References

CWE-16