PHPSecInfo is something like the phpinfo() function. This PHP environment security auditing tool runs from a single function call a series of tests on your PHP environment to identify potential security issues and offer suggestions. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.
Usage of the PHPSecInfo is very simple. All you have to do is download this tool, unpack it and upload to the server’s root (this is not the only one option, but recommended one). Then you should not forget to add this new directory to your Apache’s httpd.conf as new alias to access it:
Alias /phpsecinfo "/usr/local/www/phpsecinfo"
<Directory "/usr/local/www/phpsecinfo">
Options None
AllowOverride All
Order deny,allow
Deny from all
</Directory>
Also .htaccess file is strongly recommended to be added in the PHPSecInfo root to prevent exposition of its results to others as you can see on my ll shell output below.
[root@server /usr/local/www/phpsecinfo]# ll total 18 -rw-r--r-- 1 root wheel 61 Sep 20 18:08 .htaccess -rw-r--r-- 1 root wheel 3663 Apr 5 2007 CHANGELOG -rw-r--r-- 1 root wheel 1370 Apr 5 2007 LICENSE drwxr-xr-x 3 root wheel 512 Sep 20 17:46 PhpSecInfo -rw-r--r-- 1 root wheel 2610 Apr 5 2007 README drwxr-xr-x 5 root wheel 512 Sep 20 17:46 docs -rw-r--r-- 1 root wheel 748 Apr 5 2007 index.php
This .htaccess file should contain couple of entries, something like this:
deny from all allow from your.ip.address
Now, you can enjoy the PHPSecInfo security auditing tool outputs (logicaly background colored according to security seriousness) and follow its recommendation to improve your PHP environment and server as itself.
