PHP stands for PHP: Hypertext Preprocessor. This kind of idiom is known as a recursive acronym. A recursive acronym is an acronym that refers to itself in the expression for which it stands. It is widely used in programming since recursion is one of the common methods used in everyday programming. PHP is an open source, general purpose scripting language widely used for web development. Moodle is completely written in PHP and therefore to run Moodle we need to install and configure PHP. As any other software PHP has potential and real security problems. Because of that we need to be sure that it is configured properly in order to reduce potential security issues.
To install the PHP that comes with CentOS, execute the following commands from the command prompt:
yum install php php-cli php-common php-gd php-mysql php-mbstring php-xml php-xmlrpc php-tidy
This version of PHP is not the latest so we need even more security. Luckily there is the Suhosin plugin. Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.
To install the Suhosin extension for CentOS 5 execute the following commands:
cd /etc/yum.repos.d/ wget http://dev.centos.org/centos/5/CentOS-Testing.repo yum --enablerepo=c5-testing install php-suhosin
With this installation you might have the following issues when running Moodle:
Your options are to either:
Here is the checklist that will improve your PHP security:
This is an important piece of advice since displaying all errors and notices can show valuable system internals to the potential attacker. This setting should be disabled.
display_errors = Off
display_startup_errors=0
expose_php = 0
log_errors=On error_log = '/var/log/php.log'
allow_url_fopen
allow_url_include
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase
enable_dl
register_globals
php.ini
by setting the value of the parameter to Off. For example:allow_url_fopen = Off allow_url_include = Off magic_quotes_gpc = Off
CentOS 5 has PHP version 5.1.6. That is a quite an old version (released in August 2006) with a lot of bugs and security holes that are well known to attackers. The CentOS team will not update PHP until the upcoming release of CentOS 6 which will have PHP 5.3.1 or more recent. If you require a more recent version of PHP you will either have to compile it yourself or install Zend Server Community Edition which is a free, certified version of PHP available for all major operating systems. Visit http://www.zend.com/products/server-ce/ for more information.
3.145.9.148