PHP stands for PHP: Hypertext Preprocessor. This kind of idiom is known as a recursive acronym. A recursive acronym is an acronym that refers to itself in the expression for which it stands. It is widely used in programming since recursion is one of the common methods used in everyday programming. PHP is an open source, general purpose scripting language widely used for web development. Moodle is completely written in PHP and therefore to run Moodle we need to install and configure PHP. As any other software PHP has potential and real security problems. Because of that we need to be sure that it is configured properly in order to reduce potential security issues.
To install the PHP that comes with CentOS, execute the following commands from the command prompt:
yum install php php-cli php-common php-gd php-mysql php-mbstring php-xml php-xmlrpc php-tidy
This version of PHP is not the latest so we need even more security. Luckily there is the Suhosin plugin. Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.
To install the Suhosin extension for CentOS 5 execute the following commands:
cd /etc/yum.repos.d/ wget http://dev.centos.org/centos/5/CentOS-Testing.repo yum --enablerepo=c5-testing install php-suhosin
With this installation you might have the following issues when running Moodle:
- No further patches will be released for CentOS 5
- No direct route to Moodle 2.0 upgrade. Minimal version of PHP required by Moodle 2 is 5.2.8
- Common Cartridge support will not work since the version of libxml2 that ships with distribution is too old
Your options are to either:
- Wait for the next major release of OS
- Manually compile and install a more recent version of PHP
- Install precompiled certified PHP distribution
Here is the checklist that will improve your PHP security:
- Disable error displaying in the web browser—display_errors.
This is an important piece of advice since displaying all errors and notices can show valuable system internals to the potential attacker. This setting should be disabled.
display_errors = Off
- Disable displaying of startup errors.
display_startup_errors=0
- Disable exposure of PHP information in server headers.
expose_php = 0
- Enable error logging.
- We should always have a log of server activity, therefore every log information counts. Enable this with these statements:
log_errors=On error_log = '/var/log/php.log'
- Features that should be disabled if possible:
allow_url_fopenallow_url_includemagic_quotes_gpcmagic_quotes_runtimemagic_quotes_sybaseenable_dlregister_globals
- We disable option in
php.iniby setting the value of the parameter to Off. For example:
allow_url_fopen = Off allow_url_include = Off magic_quotes_gpc = Off
Note
CentOS 5 has PHP version 5.1.6. That is a quite an old version (released in August 2006) with a lot of bugs and security holes that are well known to attackers. The CentOS team will not update PHP until the upcoming release of CentOS 6 which will have PHP 5.3.1 or more recent. If you require a more recent version of PHP you will either have to compile it yourself or install Zend Server Community Edition which is a free, certified version of PHP available for all major operating systems. Visit http://www.zend.com/products/server-ce/ for more information.