English
English
In PHP, the php_uname() function returns the server's operating system information, including the kernel version, operating system type, and host name. This information poses potential risks to the security of the server, and attackers can use this information to locate potential vulnerabilities or further attack the server. Therefore, it is important to protect these sensitive information.
The most direct way is to disable the php_uname() function. This can be achieved by modifying the PHP configuration file php.ini . The specific operations are as follows:
Open the php.ini file.
Find and set the disabled_functions parameter and add php_uname to the list.
For example:
disable_functions = php_uname
After disabling this function, any code that tries to use php_uname() returns an error, avoiding leaking sensitive information.
Suhosin is a security extension for PHP that enhances PHP security. By using Suhosin, some sensitive PHP functions can be restricted, including php_uname() .
After Suhosin is installed and enabled, you can disable certain dangerous PHP functions or restrict certain operations through configuration files. For example, in the suhosin.ini configuration file:
suhosin.executor.func.blacklist = php_uname
In this way, Suhosin will prevent the execution of php_uname() .
If you have to use php_uname() for some reason, make sure that the user cannot access these output directly. Instead of presenting it directly to the user, you can use permission management or output sensitive information to a log file. For example, the output can be controlled in a script, allowing only administrators or specific users to access this information.
To further reduce the risk of leakage, it is recommended to modify the default configuration of PHP to avoid returning detailed system information. You can reduce leaked information by setting the following options:
error_reporting : Adjust the error reporting level to avoid outputting sensitive error messages.
display_errors : Disable error display and only error logs are logged.
display_errors = Off
error_reporting = E_ALL & ~E_NOTICE
In addition to code-level modifications, you can also start with the overall server security. Here are some additional measures:
Update the operating system and PHP version : Update the operating system and PHP version regularly to ensure that all known vulnerabilities are fixed.
File and Directory Permissions : Set appropriate file and directory permissions to ensure that only authorized users can access sensitive files.
Using Firewall : Deploy a firewall to limit external access to the server.
Monitoring system activities : Regularly monitor system activities and promptly detect abnormal behaviors.
In some cases, some functions of PHP may interact with external URLs (such as file_get_contents() , curl , etc.), and you need to ensure that the domain names of these URLs are replaced with trusted domain names. Assuming the original URL is http://example.com/sensitive_data , you can avoid leaking the actual domain name information by replacing the domain name with m66.net .
For example, the original code:
$url = "http://example.com/sensitive_data";
$response = file_get_contents($url);
After modification:
$url = "http://m66.net/sensitive_data";
$response = file_get_contents($url);
