A php.ini scanner for best security practices

Overview

Scanner for PHP.ini

Build Status Total Downloads

SensioLabsInsight

The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it is only for use on the command line and reports the results back to the display for both Pass and Fail on each test.

Installation

Using Composer

composer require psecio/iniscan

The only current dependency is the Symfony console.

Global Composer installation

Additionally, you can install it outside of a project with the global functionality Composer provides. From any directory you can use:

$ ./composer.phar global require psecio/iniscan
$ ~/.composer/vendor/bin/iniscan

Using a single Phar file

First make sure you run composer.phar install

curl -LSs https://box-project.github.io/box2/installer.php | php
php box.phar build

This should result in a iniscan.phar file being created in the root folder. Instead of using vendor/bin/iniscan in the examples use ./iniscan.phar instead.

Example

vendor/bin/iniscan scan --path=/path/to/php.ini
Results for /private/etc/php.ini:
============
Status | Severity | PHP Version | Key                      | Description
----------------------------------------------------------------------
PASS   | ERROR    |             | session.use_cookies      | Accepts cookies to manage sessions
PASS   | ERROR    | 4.3.0       | session.use_only_cookies | Must use cookies to manage sessions, don't accept session-ids in a link

1 passing
2 failure(s)

NOTE: When the scan runs, if it cannot find a setting in the php.ini given, it will use ini_get to pull the current setting (possibly the default).

Command line usage

Iniscan offers a few commands for both checking and showing the contents of your php.ini.

Scan

The scan command will be the most used - it runs the rules checks against the given ini file and reports back the results. For example:

vendor/bin/iniscan scan --path=/path/to/php.ini

If the path is omitted, iniscan will try to find it based off the current configuration (a "php -i" call). By default, this reports back both the pass and fail results of the checks. If you'd like to only return the failures, you can use the fail-only argument:

vendor/bin/iniscan scan --path=/path/to/php.ini --fail-only

The scan command will return an exit code based on the results:

  • 0: No errors
  • 1: Failures found

Scan Level Threshold

You can request the only scan for rules that are on or above a threshold:

vendor/bin/iniscan scan --path=/path/to/php.ini --threshold=ERROR

There are 3 levels you can use:

  • WARNING
  • ERROR
  • FATAL (No rules uses that level at the moment)

Show

The show command lists out the contents of your php.ini file with a bit of extra formatting.

vendor/bin/iniscan show --path=/path/to/php.ini

List

The list-tests command shows a listing of the current rules being checked and their related php.ini key.

vendor/bin/iniscan list-tests

Output formats

By default iniscan will output information directly to the console in a human-readable result. You can also specify other output formats that may be easier to parse programatically (like JSON). Use the --format option to change the output:

vendor/bin/iniscan show --path=/path/to/php.ini --format=json

the list-tests command also supports JSON output:

vendor/bin/iniscan list-tests --path=/path/to/php.ini --format=json

NOTE: Currently, only the scan command supports alternate output formats - console, JSON, XML and HTML.

The HTML output option requires an --output option of the directory to write the file:

vendor/bin/iniscan scan --format=html --output=/var/www/output

The result will be written to a file named something like iniscan-output-20131212.html

Contexts

The scanner also supports the concept of "contexts" - environments you may be executing the scanner in. For example, in your development environment, it may be okay to have display_errors on. In production, however, this is a bad idea. The scanner's default assumes you're using it in prod, so it uses the strictest checks unless you tell it otherwise. To do so, use the context command line option:

vendor/bin/iniscan show --path=/path/to/php.ini --context=dev

In this case, we've told it we're running in dev, so anything that specifically mentions "prod" isn't executed.

Deprecated reporting

As the scanner runs, it will compare the configuration key to a list of deprecated items. If the version is at or later than the version defined in the rules, an error will be shown in the output. For example, in the console, you'd see:

WARNING: deprecated configuration items found:
-> register_globals
It's recommended that these settings be removed as they will be removed from future PHP versions.

This is default behavior and does not need to be enabled.

@author Chris Cornutt [email protected]

Bitdeli Badge

Comments
  • PHP 5.6 CA file/path

    PHP 5.6 CA file/path

    This is added for the new changes to PHP 5.6 (only affects version >= 5.6 but may be backported to PHP 5.5 later) for TLS Peer verification:

    "Global CA defaults may be specified via new openssl.cafile and openssl.capath php.ini directives" (https://wiki.php.net/rfc/tls-peer-verification, https://wiki.php.net/rfc/improved-tls-defaults)

    Slightly different from a straight php.ini configuration setting though as, if php.ini does not have a setting specified, it defaults to the settings specified in the installed version of openssl.

    Tests added as well (and small fixes to other tests).

    Be aware that PHP is still in 5.6.0-alpha3 release at the moment so this functionality may change before final release.

    opened by xsist10 12
  • [InvalidArgumentException] Unknown path register_globals

    [InvalidArgumentException] Unknown path register_globals

    This is what i'm getting when running it against my homebrew php5.5 standard php.ini

    [InvalidArgumentException] Unknown path register_globals

    Any ideas?

    bug 
    opened by rdohms 10
  • The configuration file could not be found

    The configuration file could not be found

    I tried the following and it gives me the below error

    curl -LSs http://box-project.org/installer.php | php php box.phar build

    [RuntimeException]
    The configuration file could not be found.

    build [-c|--configuration="..."]

    I also tried the following but looks like configuration is some kind of json file php box.phar build --configuration="/etc/php5/cli/php.ini"

    opened by awebdeveloper 9
  • PHP version check

    PHP version check

    How do you feel about adding a list of PHP versions and their vulnerbility states (cann be used to warn the user if his PHP version needs to be updated)? Would need to either store a resource file (would become outdated quickly) with this data or use an external source to pull a fresh list periodically.

    opened by xsist10 9
  • False warning about

    False warning about "deprecated configuration items"

    I'm using PHP 5.4(.21) and none of the following 5 directives that iniscan complains about exist in my php.ini:

    WARNING: deprecated configuration items found:
    -> register_globals
    -> magic_quotes_gpc
    -> magic_quotes_runtime
    -> safe_mode
    -> register_long_arrays
    
    opened by steffenweber 7
  • Add crowd-sourcing of rulesets

    Add crowd-sourcing of rulesets

    Consider creating a website or other such interface to allow user submissions of rulesets for inclusion in the scanner, and then crowd-source their validity or correctness (via voting or other such mechanism).

    opened by sbarre 6
  • Problem installing on PHP 7 (ocramius/instantiator dependency)

    Problem installing on PHP 7 (ocramius/instantiator dependency)

    Hi,

    There is problem when installing using composer global,

    • ocramius/instantiator 1.1.2 requires php ~5.3 -> your PHP version (7.0.3) or "config.platform.php" value does not satisfy that requirement.

    because of out of date dependency ocramius/instantiator, which is apparently abandoned:

    This package is abandoned and no longer maintained. The author suggests using the doctrine/instantiator package instead.

    BR, Peter

    opened by wasilak 5
  • Error for deprecated directives like

    Error for deprecated directives like "magic_quotes_gpc"

    I'm using the latest version of iniscan and PHP 5.5. My php.ini file does not contain any deprecated directives but iniscan reports errors for them (I've filed a similar issue last year: https://github.com/psecio/iniscan/issues/47).

    $ vendor/bin/iniscan scan
    == Executing INI Scan [08.11.2014 07:11:55] ==
    
    Results for /etc/php/cli-php5.5/php.ini:
    ============
    Status | Severity | PHP Version | Key                      | Description
    ----------------------------------------------------------------------
    ...
    FAIL   | ERROR    |             | magic_quotes_gpc         | Magic quotes automatically adds quotes to incoming data ('Off' recommended)
    FAIL   | ERROR    |             | magic_quotes_runtime     | Magic quotes should be disabled at runtime in addition to being off for incoming data
    ...
    FAIL   | ERROR    |             | safe_mode                | It's not actually 'safe' ('Off' recommended)
    ...
    
    19 passing
    5 failure(s) and 13 warnings
    

    Where in the source code does iniscan check if a configuration directive exists in php.ini?

    opened by steffenweber 5
  • Add check for CVE-2013-1635 (only for 5.3.22 and 5.4.x before 5.4.13)

    Add check for CVE-2013-1635 (only for 5.3.22 and 5.4.x before 5.4.13)

    ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.

    validate that if open_basedir is in effect that the soap.wsdl_cache_dir is inside it

    http://www.cvedetails.com/cve/CVE-2013-1635/

    rules 
    opened by enygma 5
  • Option for a non-dynamic HTML output filename / make html filename configurable

    Option for a non-dynamic HTML output filename / make html filename configurable

    • Adding the possibility to define a filename for generated HTML files via the '--output' argument. If it contains a ".htm*" extension, the given output filename will be used. This way it can be statically referenced, e.g. in CI.

    • Create the defined output folder for HTML format if it doesn't exist.

    See https://github.com/psecio/iniscan/issues/105

    opened by derFunk 4
  • Added rules to check if Xdebug is enabled or not

    Added rules to check if Xdebug is enabled or not

    To fix #69 I just added two rules to check if xdebug.default_enable and xdebug.remote_enable are disabled.

    There are more things that can be disabled, but, as they concern performance instead of security I did not add them, if it's ok I can add them, one example would be xdebug.profiler_enable.

    opened by lombartec 4
  • session.cookie_domain

    session.cookie_domain

    If session.cookie_domain = is empty it triggers a fail and the description is:

    It is recommended that you set the default domain for cookies.

    AFAIK if none is provided it will use the current hostname (https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-domain).

    Bit is seems that cookie_domain is used when you have multiple sub-domains so that the cookie can be shared amogn several sub-domains http://www.freekb.net/Article?id=806#Multiple%20domains

    Multiple domains

    By default, PHP is configured so that sessions are unique to a domain. For example, if a session is started on www.example.com, the session would not be valid for sso.example.com, and vice versa. If you have two or more domains, and you want a session created on one domain to be valid for another domain, in your php.ini file, set the session.cookie_domain directive to exclude the domain prefix (www, sso, et cetera).

    session.cookie_domain = ".freekb.net"

    So enabling it this behavior make the application less secure as it increase the attack surface and increase the risk of session stealing because of possible sub-domaine takeovers https://programmierfrage.com/items/how-can-php-session-cookie-domain-be-secure

    IMO the check should be the exact opposite

    opened by noraj 0
  • PHP 7.4 compatibility: warning and error

    PHP 7.4 compatibility: warning and error

    Every scan command ends with:

    PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /tmp/iniscan/vendor/psecio/iniscan/src/Psecio/Iniscan/Command/ScanCommand/Output/Console.php on line 101
    Script iniscan handling the __exec_command event returned with error code 1
    

    For the warning, I doesn't seem that count()is used here:

    https://github.com/psecio/iniscan/blob/880dede38298adb5a23171e304fe03410260b7e3/src/Psecio/Iniscan/Command/ScanCommand/Output/Console.php#L101

    it may be a cascading from https://github.com/psecio/iniscan/blob/880dede38298adb5a23171e304fe03410260b7e3/src/Psecio/Iniscan/Operation.php#L73

    or

    https://github.com/psecio/iniscan/blob/880dede38298adb5a23171e304fe03410260b7e3/src/Psecio/Iniscan/Rule.php#L151

    https://www.php.net/manual/en/function.count.php

    For the error (2nd line) however, it comes only when using composer, eg. composer exec iniscan scan -- --path=/path/to/php.ini instead of vendor/bin/iniscan scan --path=/path/to/php.ini

    opened by noraj 0
  • Check version for session.hash_function

    Check version for session.hash_function

    I have a failed check for session.hash_function (no value) but it's PHP 7.4.29 and session.hash_function was removed since PHP 7.1.0. https://www.php.net/manual/en/session.configuration.php#ini.session.hash-function

    Adding --php 7.4.29 doesn't change a thing. There is no version check for this rule.

    https://github.com/psecio/iniscan/blob/880dede38298adb5a23171e304fe03410260b7e3/src/Psecio/Iniscan/Rule/CheckSessionHashFunction.php

    opened by noraj 0
  • Feature request - scan a folder where all .ini files are placed

    Feature request - scan a folder where all .ini files are placed

    We usually have several .ini files all placed in a unique folder that is configured in php. How can we scan all of them at once with the same order in which they are processed by PHP?

    opened by scollovati 1
  • Activating Open Collective

    Activating Open Collective

    Hi, I'm making updates for Open Collective. Either you or a supporter signed this repo up for Open Collective. This pull request adds backers and sponsors from your Open Collective https://opencollective.com/iniscan ❤️

    It adds two badges at the top to show the latest number of backers and sponsors. It also adds placeholders so that the avatar/logo of new backers/sponsors can automatically be shown without having to update your README.md. [more info]. See how it looks on this repo. You can also add a "Donate" button to your website and automatically show your backers and sponsors there with our widgets. Have a look here: https://opencollective.com/widgets

    P.S: As with any pull request, feel free to comment or suggest changes. The only thing "required" are the placeholders on the README because we believe it's important to acknowledge the people in your community that are contributing (financially or with code!).

    Thank you for your great contribution to the open source community. You are awesome! 🙌 And welcome to the open collective community! 😊

    Come chat with us in the #opensource channel on https://slack.opencollective.com - great place to ask questions and share best practices with other open source sustainers!

    opened by monkeywithacupcake 0
Owner
psec.io
psec.io
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

Graham Campbell 170 Nov 20, 2022
The Security component provides a complete security system for your web application.

Security Component The Security component provides a complete security system for your web application. It ships with facilities for authenticating us

Symfony 1.2k Jan 1, 2023
Laravel Automated Vulnerability Scanner

Todo Laravel Fingerprint Laravel Leak .env Laravel Debug Mode Laravel CVE-2018-15133 Laravel Ignition CVE-2021-3129 Insecure Deserialization with APP_

Carlos Vieira 52 Dec 4, 2022
sqlscan is quick web scanner for find an sql inject point

sqlscan sqlscan is quick web scanner for find an sql inject point. not for educational, this is for hacking. use sitemap for best result Simple to use

Bellatrix Lugosi 133 Dec 29, 2022
WPHunter A Wordpress Vulnerability Scanner

WPHunter Tool ☣ WPHunter A Wordpress Vulnerability Scanner You can use this tool on your wordpress website to check the security of your website by fi

Jamal Eddine 140 Dec 24, 2022
Javascript code scanner to use with gettext/gettext

Javascript code scanner to use with gettext/gettext

Gettext 4 Feb 14, 2022
WebVulScan - a web application vulnerability scanner

WebVulScan is a web application vulnerability scanner. It is a web application itself written in PHP and can be used to test remote, or local, web applications for security vulnerabilities.

Dermot Blair 145 Nov 20, 2022
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 752 Jan 3, 2023
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.9k Dec 18, 2022
Php Security Class

Security Advanced Security Class for Php Features Secure From XSS, CSRF, SQL Injection, BASE64, RFI, LFI, Command Injection, Block Suspicious Request

Ömer Faruk Demirel 5 Dec 2, 2022
PHP frontend for security.symfony.com

SensioLabs Security Checker WARNING: Don't use this piece of software anymore as the underlying web service will stop working at the end of January 20

SensioLabs 2k Dec 25, 2022
Web page performance/seo/security/accessibility analysis, browser-less for PHP

Web page performance/seo/security/accessibility analysis, browser-less for PHP

Lightship 5 Dec 15, 2022
Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.

Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. It is inspired by the Java Spring framework.

Symfony 1.5k Dec 28, 2022
FunboxEasy - Proving Grounds - Offensive Security

FunboxEasy - Proving Grounds - Offensive Security

Hafiizh Ghulam 1 Oct 28, 2021
Windows and macOS Hardening Interface to make security more accessible.

Welcome to the Hardening Interface Introduction To use HardeningKitty service more easily, we have created an interface which permits better understan

ataumo 24 Dec 5, 2022
Security advisories as a simple composer exclusion list, updated daily

Roave Security Advisories This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Installa

Roave, LLC 2.5k Jan 5, 2023