A php.ini scanner for best security practices

Overview

Scanner for PHP.ini

Build Status Total Downloads

SensioLabsInsight

The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it is only for use on the command line and reports the results back to the display for both Pass and Fail on each test.

Installation

Using Composer

composer require psecio/iniscan

The only current dependency is the Symfony console.

Global Composer installation

Additionally, you can install it outside of a project with the global functionality Composer provides. From any directory you can use:

$ ./composer.phar global require psecio/iniscan
$ ~/.composer/vendor/bin/iniscan

Using a single Phar file

First make sure you run composer.phar install

curl -LSs https://box-project.github.io/box2/installer.php | php
php box.phar build

This should result in a iniscan.phar file being created in the root folder. Instead of using vendor/bin/iniscan in the examples use ./iniscan.phar instead.

Example

vendor/bin/iniscan scan --path=/path/to/php.ini
Results for /private/etc/php.ini:
============
Status | Severity | PHP Version | Key                      | Description
----------------------------------------------------------------------
PASS   | ERROR    |             | session.use_cookies      | Accepts cookies to manage sessions
PASS   | ERROR    | 4.3.0       | session.use_only_cookies | Must use cookies to manage sessions, don't accept session-ids in a link

1 passing
2 failure(s)

NOTE: When the scan runs, if it cannot find a setting in the php.ini given, it will use ini_get to pull the current setting (possibly the default).

Command line usage

Iniscan offers a few commands for both checking and showing the contents of your php.ini.

Scan

The scan command will be the most used - it runs the rules checks against the given ini file and reports back the results. For example:

vendor/bin/iniscan scan --path=/path/to/php.ini

If the path is omitted, iniscan will try to find it based off the current configuration (a "php -i" call). By default, this reports back both the pass and fail results of the checks. If you'd like to only return the failures, you can use the fail-only argument:

vendor/bin/iniscan scan --path=/path/to/php.ini --fail-only

The scan command will return an exit code based on the results:

  • 0: No errors
  • 1: Failures found

Scan Level Threshold

You can request the only scan for rules that are on or above a threshold:

vendor/bin/iniscan scan --path=/path/to/php.ini --threshold=ERROR

There are 3 levels you can use:

  • WARNING
  • ERROR
  • FATAL (No rules uses that level at the moment)

Show

The show command lists out the contents of your php.ini file with a bit of extra formatting.

vendor/bin/iniscan show --path=/path/to/php.ini

List

The list-tests command shows a listing of the current rules being checked and their related php.ini key.

vendor/bin/iniscan list-tests

Output formats

By default iniscan will output information directly to the console in a human-readable result. You can also specify other output formats that may be easier to parse programatically (like JSON). Use the --format option to change the output:

vendor/bin/iniscan show --path=/path/to/php.ini --format=json

the list-tests command also supports JSON output:

vendor/bin/iniscan list-tests --path=/path/to/php.ini --format=json

NOTE: Currently, only the scan command supports alternate output formats - console, JSON, XML and HTML.

The HTML output option requires an --output option of the directory to write the file:

vendor/bin/iniscan scan --format=html --output=/var/www/output

The result will be written to a file named something like iniscan-output-20131212.html

Contexts

The scanner also supports the concept of "contexts" - environments you may be executing the scanner in. For example, in your development environment, it may be okay to have display_errors on. In production, however, this is a bad idea. The scanner's default assumes you're using it in prod, so it uses the strictest checks unless you tell it otherwise. To do so, use the context command line option:

vendor/bin/iniscan show --path=/path/to/php.ini --context=dev

In this case, we've told it we're running in dev, so anything that specifically mentions "prod" isn't executed.

Deprecated reporting

As the scanner runs, it will compare the configuration key to a list of deprecated items. If the version is at or later than the version defined in the rules, an error will be shown in the output. For example, in the console, you'd see:

WARNING: deprecated configuration items found:
-> register_globals
It's recommended that these settings be removed as they will be removed from future PHP versions.

This is default behavior and does not need to be enabled.

@author Chris Cornutt [email protected]

Bitdeli Badge

Issues
  • PHP 5.6 CA file/path

    PHP 5.6 CA file/path

    This is added for the new changes to PHP 5.6 (only affects version >= 5.6 but may be backported to PHP 5.5 later) for TLS Peer verification:

    "Global CA defaults may be specified via new openssl.cafile and openssl.capath php.ini directives" (https://wiki.php.net/rfc/tls-peer-verification, https://wiki.php.net/rfc/improved-tls-defaults)

    Slightly different from a straight php.ini configuration setting though as, if php.ini does not have a setting specified, it defaults to the settings specified in the installed version of openssl.

    Tests added as well (and small fixes to other tests).

    Be aware that PHP is still in 5.6.0-alpha3 release at the moment so this functionality may change before final release.

    opened by xsist10 12
  • [InvalidArgumentException] Unknown path register_globals

    [InvalidArgumentException] Unknown path register_globals

    This is what i'm getting when running it against my homebrew php5.5 standard php.ini

    [InvalidArgumentException] Unknown path register_globals

    Any ideas?

    bug 
    opened by rdohms 10
  • The configuration file could not be found

    The configuration file could not be found

    I tried the following and it gives me the below error

    curl -LSs http://box-project.org/installer.php | php php box.phar build

    [RuntimeException]
    The configuration file could not be found.

    build [-c|--configuration="..."]

    I also tried the following but looks like configuration is some kind of json file php box.phar build --configuration="/etc/php5/cli/php.ini"

    opened by awebdeveloper 9
  • Mark session.save_path permissions check as N/A if running on Windows

    Mark session.save_path permissions check as N/A if running on Windows

    The fileperms PHP command does not work correctly on Windows (always returns 777), so the check should be marked as not applicable.

    opened by jkrehm 9
  • PHP version check

    PHP version check

    How do you feel about adding a list of PHP versions and their vulnerbility states (cann be used to warn the user if his PHP version needs to be updated)? Would need to either store a resource file (would become outdated quickly) with this data or use an external source to pull a fresh list periodically.

    opened by xsist10 9
  • False warning about

    False warning about "deprecated configuration items"

    I'm using PHP 5.4(.21) and none of the following 5 directives that iniscan complains about exist in my php.ini:

    WARNING: deprecated configuration items found:
    -> register_globals
    -> magic_quotes_gpc
    -> magic_quotes_runtime
    -> safe_mode
    -> register_long_arrays
    
    opened by steffenweber 7
  • Add crowd-sourcing of rulesets

    Add crowd-sourcing of rulesets

    Consider creating a website or other such interface to allow user submissions of rulesets for inclusion in the scanner, and then crowd-source their validity or correctness (via voting or other such mechanism).

    opened by sbarre 6
  • Add check for CVE-2013-1635 (only for 5.3.22 and 5.4.x before 5.4.13)

    Add check for CVE-2013-1635 (only for 5.3.22 and 5.4.x before 5.4.13)

    ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.

    validate that if open_basedir is in effect that the soap.wsdl_cache_dir is inside it

    http://www.cvedetails.com/cve/CVE-2013-1635/

    rules 
    opened by enygma 5
  • Error for deprecated directives like

    Error for deprecated directives like "magic_quotes_gpc"

    I'm using the latest version of iniscan and PHP 5.5. My php.ini file does not contain any deprecated directives but iniscan reports errors for them (I've filed a similar issue last year: https://github.com/psecio/iniscan/issues/47).

    $ vendor/bin/iniscan scan
    == Executing INI Scan [08.11.2014 07:11:55] ==
    
    Results for /etc/php/cli-php5.5/php.ini:
    ============
    Status | Severity | PHP Version | Key                      | Description
    ----------------------------------------------------------------------
    ...
    FAIL   | ERROR    |             | magic_quotes_gpc         | Magic quotes automatically adds quotes to incoming data ('Off' recommended)
    FAIL   | ERROR    |             | magic_quotes_runtime     | Magic quotes should be disabled at runtime in addition to being off for incoming data
    ...
    FAIL   | ERROR    |             | safe_mode                | It's not actually 'safe' ('Off' recommended)
    ...
    
    19 passing
    5 failure(s) and 13 warnings
    

    Where in the source code does iniscan check if a configuration directive exists in php.ini?

    opened by steffenweber 5
  • Problem installing on PHP 7 (ocramius/instantiator dependency)

    Problem installing on PHP 7 (ocramius/instantiator dependency)

    Hi,

    There is problem when installing using composer global,

    • ocramius/instantiator 1.1.2 requires php ~5.3 -> your PHP version (7.0.3) or "config.platform.php" value does not satisfy that requirement.

    because of out of date dependency ocramius/instantiator, which is apparently abandoned:

    This package is abandoned and no longer maintained. The author suggests using the doctrine/instantiator package instead.

    BR, Peter

    opened by wasilak 5
  • Symfony console ^5.0 compatibility.

    Symfony console ^5.0 compatibility.

    opened by eudora-fabia 0
  • Activating Open Collective

    Activating Open Collective

    Hi, I'm making updates for Open Collective. Either you or a supporter signed this repo up for Open Collective. This pull request adds backers and sponsors from your Open Collective https://opencollective.com/iniscan ❤️

    It adds two badges at the top to show the latest number of backers and sponsors. It also adds placeholders so that the avatar/logo of new backers/sponsors can automatically be shown without having to update your README.md. [more info]. See how it looks on this repo. You can also add a "Donate" button to your website and automatically show your backers and sponsors there with our widgets. Have a look here: https://opencollective.com/widgets

    P.S: As with any pull request, feel free to comment or suggest changes. The only thing "required" are the placeholders on the README because we believe it's important to acknowledge the people in your community that are contributing (financially or with code!).

    Thank you for your great contribution to the open source community. You are awesome! 🙌 And welcome to the open collective community! 😊

    Come chat with us in the #opensource channel on https://slack.opencollective.com - great place to ask questions and share best practices with other open source sustainers!

    opened by monkeywithacupcake 0
  • Fix show command for PHP >= 7.0.0

    Fix show command for PHP >= 7.0.0

    • Implemented the methods showIni and showSection;
    • The showIni can display data if it's empty, an array or only a value;
    • It's important to note that this code rely on the process_sections argument from the parse_ini_file function and this processing is somehow weak, because it depends on the existence of the '[SECTION_NAME]' and the 'section_name.' is not interpreted as a section;
    opened by spelcaster 1
  • Fix false positive in soap.wsdl_cache_dir test

    Fix false positive in soap.wsdl_cache_dir test

    • We're now testing if the string is exactly '/tmp' instead of checking if there's any '/tmp' in it;
    opened by spelcaster 1
  • Adding a JUnit XML output format.

    Adding a JUnit XML output format.

    This adds a JUnit XML output which can be integrated into CI-systems like Jenkins, amongst certainly other use cases.

    Use it with --format=junit

    Before merging, check https://github.com/psecio/iniscan/issues/104 to ensure that generated JUnit XMLs will not be totally useless because of false positives in PHP 7/7.1 :)

    opened by derFunk 0
  • JUnit XML output format for CI integration

    JUnit XML output format for CI integration

    Hi,

    CI systems like Jenkins can publish JUnit XML results out of the box. It would be great if we could have a exporter for that format.

    For a JUnit XML format specification see here: https://github.com/windyroad/JUnit-Schema.

    Example how php-cs-fixer exports to JUnit format: https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/master/src/Report/JunitReporter.php

    opened by derFunk 2
  • soap.wsdl_cache_dir: False positive (directory name /tmp[...])

    soap.wsdl_cache_dir: False positive (directory name /tmp[...])

    When using a directory different to /tmp which directory name starts with tmp, iniscan issues a false positive:

    [...]
    soap.wsdl_cache_dir="/temp-php-wsdl"
    [...]
    

    Without the directory present:

    [...]
    FAIL   | WARNING  |             |               | soap.wsdl_cache_dir           | The SOAP WSDL cache directory did not resolve to a valid directory
    [...]
    

    With the directory present:

    [...]
    FAIL   | WARNING  |             |               | soap.wsdl_cache_dir           | The SOAP WSDL cache directory is inside of "/tmp/" which allows local users to conduct WSDL injection attacks (CVE-2013-6501)
    [...]
    

    Using a directory which directory name does not start with /tmp[...]:

    [...]
    soap.wsdl_cache_dir="/temp-php-wsdl"
    [...]
    

    Directory has been ensured being present, this iniscan passes then:

    [...]
    PASS   | WARNING  |             |               | soap.wsdl_cache_dir           | Security checks for CVE-2013-1635 and CVE-2013-6501
    [...]
    
    Hacktoberfest 
    opened by strarsis 1
  • Add security keyword

    Add security keyword

    opened by theofidry 0
  • incorrect results / false positives

    incorrect results / false positives

    I guess there are some incorrect results. I use this php.ini and PHP 7.0 with iniscan version 3.6.4.

    This is the output:

    Status | Severity | PHP Version | Current Value | Key                           | Description
    ------------------------------------------------------------------------------------------
    FAIL   | ERROR    | 5.2.0       | 1             | session.cookie_httponly       | Setting session cookies to 'http only' makes them only readable by the browser
    FAIL   | ERROR    | 4.0.4       | 1             | session.cookie_secure         | Cookie secure specifies whether cookies should only be sent over secure connections.
    FAIL   | WARNING  | 5.5.2       | 1             | session.use_strict_mode       | Strict mode prevents uninitialized session IDs in the built-in session handling.
    FAIL   | ERROR    | 4.0.3       | 0             | allow_url_fopen               | Do not allow the opening of remote file resources ('Off' recommended)
    

    As you can read in the php docs the current session settings are secure. allow_url_fopen is also disabled. Or is the column Current value the recommended value?

    It seems the determination of default values is incorrect, because the value of session.cookie_httponly is "". Same for other values.

    Do you check the values 1, 0, Off, On, "1", "0" or "" for specific settings?

    Hacktoberfest 
    opened by sandrokeil 8
  • Invalid argument supplied for foreach() by running iniscan show

    Invalid argument supplied for foreach() by running iniscan show

    I get multiple PHP warnings if I run iniscan show. I use this php.ini and PHP 7.0 with iniscan version 3.6.4.

    Current PHP.ini settings from /usr/local/etc/php/php.ini
    ##########
    :: date.timezone
    
    Warning: Invalid argument supplied for foreach() in /app/vendor/psecio/iniscan/src/Psecio/Iniscan/Command/ShowCommand.php on line 53
    -----------------
    
    :: memory_limit
    
    Warning: Invalid argument supplied for foreach() in /app/vendor/psecio/iniscan/src/Psecio/Iniscan/Command/ShowCommand.php on line 53
    -----------------
    
    :: error_reporting
    
    Warning: Invalid argument supplied for foreach() in /app/vendor/psecio/iniscan/src/Psecio/Iniscan/Command/ShowCommand.php on line 53
    -----------------
    
    :: display_errors
    
    Warning: Invalid argument supplied for foreach() in /app/vendor/psecio/iniscan/src/Psecio/Iniscan/Command/ShowCommand.php on line 53
    -----------------
    
    Hacktoberfest 
    opened by sandrokeil 4
Owner
psec.io
psec.io
Port scanning using PHP!

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ?? Scanner Port's ?? ???? Don't forget to leave a star! ⭐ ???? Não se esqueça de deixar uma estrela! ⭐ ?? Credits | Créd

Hellen. 3 Apr 16, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.3k Jun 17, 2021
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Apr 25, 2021
The OWASP ZAP core project

OWASP ZAP The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated internatio

OWASP ZAP 8.6k Jun 14, 2021
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.7k Jun 18, 2021
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 20.3k Jun 13, 2021
Simple Encryption in PHP.

php-encryption composer require defuse/php-encryption This is a library for encrypting data with a key or password in PHP. It requires PHP 5.6 or new

Taylor Hornby 3.3k Jun 18, 2021
WordPress plugin that provides instant switching between user accounts.

User Switching Stable tag: 1.5.7 Requires at least: 3.7 Tested up to: 5.7 Requires PHP: 5.3 License: GPL v2 or later Tags: users, profiles, user switc

John Blackbourn 133 Jun 15, 2021
[OUTDATED] Two-factor authentication for Symfony applications 🔐 (bunde version ≤ 4). Please use version 5 from https://github.com/scheb/2fa.

scheb/two-factor-bundle ⚠ Outdated version. Please use versions ≥ 5 from scheb/2fa. This bundle provides two-factor authentication for your Symfony ap

Christian Scheb 390 Jun 12, 2021
㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP

㊙️ AntiXSS "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inje

Lars Moelleken 420 Jun 13, 2021
TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library

About TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library. By default, a cookie will be used as a storage backend. TCrypto h

timoh 53 Dec 22, 2020
Compatibility with the password_* functions that ship with PHP 5.5

password_compat This library is intended to provide forward compatibility with the password_* functions that ship with PHP 5.5. See the RFC for more d

Anthony Ferrara 2.1k Apr 27, 2021
PHP Secure Communications Library

phpseclib - PHP Secure Communications Library Supporting phpseclib Become a backer or sponsor on Patreon One-time donation via PayPal or crypto-curren

null 4.4k Jun 19, 2021
A library for generating random numbers and strings

RandomLib A library for generating random numbers and strings of various strengths. This library is useful in security contexts. Install Via Composer

Anthony Ferrara 818 Jun 16, 2021