GitHub - ada10fl2/EITF05_StickyCo: School project - EITF05 Web security - Stickyco Webshop #php #security #mysql #bs3

#EITF05 - Web Security - Project A webshop was implemented using PHP 5.4, Bootstrap 3 and MySql

Assignment

http://www.eit.lth.se/fileadmin/eit/courses/eitf05/project/webshop.pdf

Final Report

https://github.com/ada10fl2/EITF05_ProjectWebshop/raw/master/report.pdf

Configuration

See further details in the report above

PHP

Run nano /etc/php.ini

# Set session store to be outside of the www-root
session.save_path="/var/lib/php/session"
	
# Set the file upload to be outside of the www-root
upload_tmp_dir="/var/lib/php/session"

Apache

Run nano /etc/php.d/secutity.ini

# Dont leak information
expose_php=Off
display_errors=Off
file_uploads=Off
log_errors=On
error_log=/var/log/httpd/php_scripts_error.log
	
# Disable remote code fetching
allow_url_fopen=Off
allow_url_include=Off
	
	
# Ineffective and not very robust
# mysql_escape_string() and custom filtering functions serve a better purpose
magic_quotes_gpc=Off
	
# Attackers may attempt to send oversized POST requests to eat your system resources
post_max_size=2K
	
# set in seconds
max_execution_time =  10
max_input_time = 30
memory_limit = 40M
	
# Disable all dangerous php functions
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
	
# PHP scripts are able to access files only when their owner is the owner of the PHP scripts
safe_mode = On
safe_mode_gid = Off
	
# Allow safemode to open/execute files only in specified directories
open_basedir = directory[:...]
safe_mode_exec_dir = directory[:...]

`www-root` (production only)

# Make sure path is outside /var/www/html and not readable or writeable by any other system users:
run:
	ls -Z /var/lib/php/
expect:
	drwxrwx---. root apache system_u:object_r:httpd_var_run_t:s0 session
	
# Make sure you run Apache as a non-root user such as Apache or www
chown -R apache:apache /var/www/html/
chmod -R 0444 /var/www/html/

# Ensure all directories permissions are set to 0445
find /var/www/html/ -type d -print0 | xargs -0 -I {} chmod 0445 {}
	
# Write protect configuration files
chattr +i /etc/php.ini
chattr +i /etc/php.d/*
chattr +i /etc/my.ini
chattr +i /etc/httpd/conf/httpd.conf
chattr +i /etc/
chattr +i /var/www/html/

Name		Name	Last commit message	Last commit date
Latest commit History 106 Commits
classes		classes
css		css
fonts		fonts
img		img
include		include
js		js
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
about.php		about.php
cart.php		cart.php
checkout.js		checkout.js
checkout.php		checkout.php
error.html		error.html
fillprods.php		fillprods.php
index.js		index.js
index.php		index.php
login.js		login.js
login.php		login.php
logout.php		logout.php
php.ini		php.ini
report.pdf		report.pdf
screen.png		screen.png
signup.js		signup.js
signup.php		signup.php
success.php		success.php

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Assignment

Final Report

Configuration

PHP

Apache

`www-root` (production only)

About

Releases

Packages

Contributors 2

Languages

License

ada10fl2/EITF05_StickyCo

Folders and files

Latest commit

History

Repository files navigation

Assignment

Final Report

Configuration

PHP

Apache

www-root (production only)

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 2

Languages

`www-root` (production only)

Packages