Security Information About PHP

PhpSecInfo Version 0.2.1; build 20070406 · Project Homepage

Curl

Test Result
file_support
Pass
You are running PHP 4.4.4 or higher, or PHP 5.1.6 or higher. These versions fix the security hole present in the cURL functions that allow it to bypass safe_mode and open_basedir restrictions.
Current Value: 5.6.33-0+deb8u1
Recommended Value: 5.1.6+ or 4.4.4+

Core

Test Result
allow_url_fopen
Warning
allow_url_fopen is enabled. This could be a serious security risk. You should disable allow_url_fopen and consider using the PHP cURL functions instead.
Current Value: 1
Recommended Value: 0
allow_url_include
Pass
allow_url_include is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
display_errors
Pass
display_errors is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
expose_php
Pass
expose_php is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
file_uploads
Notice
file_uploads are enabled. If you do not require file upload capability, consider disabling them.
Current Value: 1
Recommended Value: 0
group_id
Warning
PHP may be executing as a "privileged" group, which could be a serious security vulnerability.
Current Value: 33
Recommended Value: 100
magic_quotes_gpc
Pass
magic_quotes_gpc is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
memory_limit
Notice
memory_limit is set to a very high value. Are you sure your apps require this much memory? If not, lower the limit, as certain attacks or poor programming practices can lead to exhaustion of server resources. It is recommended that you set this to a realistic value (8M for example) from which it can be expanded as required.
Current Value: 134217728
Recommended Value: 8388608
open_basedir
Notice
open_basedir is disabled. When this is enabled, only files that are in the given directory/directories and their subdirectories can be read by PHP scripts. You should consider turning this on. Keep in mind that other web applications not written in PHP will not be restricted by this setting.
Current Value: 0
Recommended Value: 1
post_max_size
Notice
post_max_size is not enabled, or is set to a high value. Allowing a large value may open up your server to denial-of-service attacks
Current Value: 8388608
Recommended Value: 262144
register_globals
Pass
register_globals is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0
upload_max_filesize
Notice
upload_max_filesize is not enabled, or is set to a high value. Are you sure your apps require uploading files of this size? If not, lower the limit, as large file uploads can impact server performance
Current Value: 2097152
Recommended Value: 262144
upload_tmp_dir
Notice
upload_tmp_dir is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access temporary copies of files uploaded via your PHP scripts. You should set upload_tmp_dir to a non-world-readable directory
Current Value: /tmp (1777)
Recommended Value: A non-world readable/writable directory
user_id
Warning
PHP may be executing as a "privileged" user, which could be a serious security vulnerability.
Current Value: 33
Recommended Value: 100

Session

Test Result
save_path
Notice
save_path is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access session files. You should set save_path to a non-world-readable directory
Current Value: /var/lib/php5/sessions (1733)
Recommended Value: A non-world readable/writable directory
use_trans_sid
Pass
use_trans_sid is disabled, which is the recommended setting
Current Value: 0
Recommended Value: 0

Tests Not Run

Test Result
CGI::force_redirect
Not Run
You don't seem to be using the CGI SAPI

Test Results Summary

Test Result
Notice
7 out of 17 (41.18%)
Pass
7 out of 17 (41.18%)
Warning
3 out of 17 (17.65%)