Security Information About PHP

PhpSecInfo Version 0.2.1; build 20070406 · Project Homepage

CGI

Test Result
force_redirect
Warning
force_redirect is disabled. In most cases, this is a serious security vulnerability. Unless you are absolutely sure this is not needed, enable this setting
Current Value: 0
Recommended Value: 1

Core

Test Result
allow_url_fopen
Warning
allow_url_fopen is enabled. This could be a serious security risk. You should disable allow_url_fopen and consider using the PHP cURL functions instead.
Current Value: 1
Recommended Value: 0
allow_url_include
Pass
allow_url_include is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
display_errors
Pass
display_errors is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
expose_php
Notice
expose_php is enabled. This adds the PHP "signature" to the web server header, including the PHP version number. This could attract attackers looking for vulnerable versions of PHP
Current Value: 1
Recommended Value: 0
file_uploads
Notice
file_uploads are enabled. If you do not require file upload capability, consider disabling them.
Current Value: 1
Recommended Value: 0
magic_quotes_gpc
Pass
magic_quotes_gpc is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
memory_limit
Notice
memory_limit is set to a very high value. Are you sure your apps require this much memory? If not, lower the limit, as certain attacks or poor programming practices can lead to exhaustion of server resources. It is recommended that you set this to a realistic value (8M for example) from which it can be expanded as required.
Current Value: 134217728
Recommended Value: 8388608
open_basedir
Notice
open_basedir is disabled. When this is enabled, only files that are in the given directory/directories and their subdirectories can be read by PHP scripts. You should consider turning this on. Keep in mind that other web applications not written in PHP will not be restricted by this setting.
Current Value: 0
Recommended Value: 1
post_max_size
Notice
post_max_size is not enabled, or is set to a high value. Allowing a large value may open up your server to denial-of-service attacks
Current Value: 8388608
Recommended Value: 262144
register_globals
Pass
register_globals is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
upload_max_filesize
Notice
upload_max_filesize is not enabled, or is set to a high value. Are you sure your apps require uploading files of this size? If not, lower the limit, as large file uploads can impact server performance
Current Value: 2097152
Recommended Value: 262144

Curl

Test Result
file_support
Pass
You are running PHP 4.4.4 or higher, or PHP 5.1.6 or higher. These versions fix the security hole present in the cURL functions that allow it to bypass safe_mode and open_basedir restrictions.
Current Value: 5.3.28
Recommended Value: 5.1.6+ or 4.4.4+

Session

Test Result
use_trans_sid
Pass
use_trans_sid is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0

Tests Not Run

Test Result
Core::group_id
Not Run
This test will not run on Windows OSes
Core::upload_tmp_dir
Not Run
Test not run -- currently disabled on Windows OSes
Core::user_id
Not Run
This test will not run on Windows OSes
Session::save_path
Not Run
Test not run -- currently disabled on Windows OSes

Test Results Summary

Test Result
Notice
6 out of 14 (42.86%)
Pass
6 out of 14 (42.86%)
Warning
2 out of 14 (14.29%)