Run the "phpinfo()" protocol and check the line with the "open_basedir" command. With this command, you can define the base directory for all users. After setting this value, they will no longer be able to open files outside of this root folder or its subdirectories, such as "C:\Windows".
If you have other structural directories, define them as the base directory with the "www_root" command. However, one user will also be able to read and modify another user's files. This must be prevented.
Unfortunately, there are no options in the "php.ini" file to prevent one user from accessing another's data.
But there is one interesting way if PHP is running on Apache. In "phpinfo()" you will find two columns: "Main Value" and "Local Value". The first is the value in "php.ini". The second is a value that is determined during server operation.
If the base value is small in numerical terms, then it can be changed in the script using the "ini_set ()" command. This does not apply to "open_basedir" because this value is security critical and can only be changed by an administrator.
In Apache configuration file"httpd.conf" can be specified in the directory under the local value "open_basedir".
Other PHP settings
By setting "disable_functions" in the "php.ini" file, it is necessary to disable functions that are potentially dangerous.
Think carefully about every action you take. Disabling the function means that some scripts will stop working.
Some functions are really dangerous and are not usually required for scripting. Others - may be necessary for certain purposes. Therefore, it is not easy to disable all the features that can be dangerous, but also carefully weigh your decisions.
Do not believe that one "safe_mode = On" function will be enough. She can disable some useful features and not solve the security problem described above. Safe mode deprecated in PHP 5.3.0 and removed in PHP 6.0.0.
Defense issues
There are several mistakes that a web developer can make and make a website insecure.
For example, if you are creating your blog and allowing users to upload images, this can be a major hazard when the code is written by a beginner. There are several mistakes that a programmer can make on the login page, etc. One of the most common is the lack of a ban on downloading malicious algorithms.
The important point is that one insecure site on public hosting is a threat to the entire server. Also installing Open Source projects like PHP-Nuke can be risky. Several vulnerabilities in such projects have already been discovered.
March 6, 2015 at 00:43Website security audit - identifying risks and threats
- Information Security
Site security audit (checking the site for vulnerabilities) - a series of procedures aimed at ensuring stable operation web resource, data security and risk reduction.
It's no secret that the economic situation is now dictating new rules, including in competition. If earlier the "war of technologies", cyber espionage and destructive actions were mainly the lot of large corporations or entire states, now these methods are quite successfully used in small and medium-sized businesses.
Let's leave offline company sites aside for now, and today we'll talk about commercial websites, whose main income is related to Internet activities.
Site security audit is a set of works to identify errors in the site code and software servers that attackers can use to attack and hack the site.
The motivation used by attackers can be different - it is both bragging and the search for benefits both for themselves personally and by working for a "order".
From the latest "high-profile" examples - hacking of the freelance exchange FL.ru
screenshot of the attacker's message on behalf of one of the administrators
Here, the resource has clearly suffered reputational damage, user loyalty has been reduced. New users may be difficult to attract: www.google.ru/search?ie=UTF-8&hl=ru&q=FL.ru
As a result of the search GOOGLE SERPs at the request of FL.RU, the second is a topic on Habré about draining the user base.
What would a security audit of the FL.RU exchange give - the selection of passwords for resource administrator accounts would help identify these Accounts. Additional recommendations and rules for their observance would help to avoid such an unfortunate oversight. The lack of restriction of access to critical functionality (user accounts) from an untrusted IP address only exacerbated the situation.
The reputational risks of hacking the company's website will naturally affect the profitability of the company. But there is also a direct threat of theft of data that is valuable to the company. Web site of the company associated with online activities - online store, electronic exchange, etc. - the main tool for making a profit - often contains a customer database, all the more valuable if the service involves long-term work with the client, repeat purchases, and so on.
Also, manipulation of payment data, fraudulent transactions in deposit/withdrawal systems or payment systems can cause great damage to the company.
Attackers attacking the site can be conditionally divided into two types:
1. We take everything that lies badly.
This kind of attackers try to gain access to a large number of sites, use primitive techniques, “noise in the logs”. Typically, such actors scan the site(s) with popular vulnerability scanners or look for vulnerable CMSs for a specific exploit. They may be interested in both the user base and the banal iframe on the so-called. exploit-pack.
search for accomplices to commit an offense under Article 273 of the Criminal Code of the Russian Federation
A timely web application security audit will help identify vulnerable components and problem areas of the site. Recommendations will help you be prepared to repel hacker attacks.
2. We attack a specific target.
These types of attackers are usually motivated to obtain certain data or destroy it:
announcements on “near-hacker” forums
In this case, the attacker will not limit himself to passive methods - most likely he will attack the site until he gets the desired result, using all possible combinations of attack vectors.
A comprehensive security audit, which usually includes the following actions, can help to significantly increase the security of a site:
- Search for vulnerabilities in server components;
- Search for vulnerabilities in the server's web environment;
- Check for remote execution of arbitrary code;
- Checking for injections (code injection);
- Attempts to bypass the web resource authentication system;
- Checking a web resource for "XSS" / "CSRF" vulnerabilities;
- Attempts to intercept privileged accounts (or sessions of such accounts);
- Attempts to perform Remote File Inclusion / Local File Inclusion;
- Search for components with known vulnerabilities;
- Check for redirects to other sites and open redirects;
- Scanning directories and files using brute force and "google hack";
- Analysis of search forms, registration forms, authorization forms, etc.;
- Checking the resource for the possibility of openly obtaining confidential and secret information;
- Race condition class attacks;
- Embedding XML entities;
- Selection of passwords.
A site security audit is a proactive measure that allows you to get an adequate assessment of the security of a company resource, full information about the vulnerabilities found, possible scenarios attacks and recommendations for their elimination. This, in fact, is not an event, but a continuous process to ensure the security of the business processes of the company's website, maintain business reputation, economic growth and business development.
Do not wait until your site is attacked by intruders - order a comprehensive website security audit from professionals.
Recently, the Internet has become the main habitat for viruses, since only there they can effectively spread on user computers. Gone are the days when systems were infected via disks or flash cards. With the increase in the amount of information downloaded, the number of infected computers has increased, as users perceive the threat from the Internet as something abstract and something that does not affect them.
Unfortunately, it is not. Neglecting the basics of security can compromise our data stored on hard drives. Infections of computers of large corporations became indicative ransomware virus, which extorted money for unlocking, and otherwise encrypted the data. Most of them contracted it due to banal inattention.
Infection prevention
First of all, you need to use anti-virus programs. Most of them are capable filter traffic, advance warning users about the danger lurking on the resource being opened. Even free versions can significantly enhance the protection of your computer.
Secondly, you should go to browsers, in which is embedded website check. They warn of the danger that awaits users on a particular site. One of these - Yandex browser. Built into it by default plugin, scanning the site and restricting access to frankly malicious resources. If the user tries to access such a page, he will see a warning about the danger and a suggestion to close the tab.
Third, try do not cross on suspicious links in social networks. Vkontakte itself warns that the site can be dangerous, so do not neglect the advice of the service. Most infections happen this way.
Using Google to Verify
This option is suitable for site owners who want to make sure that their creations do not harm users. world wide web. If the site does not belong to you, then you will not be able to check it through search engines.
To start, let's go to webmaster panel. It is located at google.com/webmasters/tools/home (you need to be logged into your Google account). After that, click on the button " Add resource” and enter the link to the site in the box. After that, press " Add». 
After that, we will need confirm site rights. For this you need to place HTML Template on the resource so that Google can identify us. We perform all the actions from the instructions and click " Confirm». 
After confirmation, we can see all the information about our site. To do this, select the tab " Security issues". If there are viruses on the page, the system will notify us about it. If not, we will see such a picture. 
Yandex to check for viruses
By and large, in Yandex we repeat the same procedure as in Google:
Doctor Web and Kaspersky
For the most part, by checking the site through these two services, you can be 97% sure that the site does not contain viruses. These laboratories have devoted years to developing antivirus programs so there is no reason to doubt their competence. Let's start with Doctor Web.
We go to the official website vms.drweb.ru/online. In addition to checking for viruses, you can see an extensive selection information about viruses and their spread. The main part of the page is the address bar in the middle, into which enter the link on the resource being checked and click " Verify». 
After a while we will get detailed description checks carried out, as well as a conclusion about the danger or safety of the page. 
Work " Kaspersky' is built on the same principle. However, here we can also check files. Enter URL in the address bar and click verify.
Unlike the previous service, we are not loaded with the details of the check, but immediately give the result. 
Other online services
In addition to those already considered, there are other services for checking links:
How do you know if the site you are visiting is safe? Is it risky to buy something on it and how suitable is its content for children?
To do this, popular antiviruses have a built-in site rating system. Most often, it works based on the votes of the users themselves. There is a similar system, for example, in Avast internet security. But there is one small "but" - almost all antiviruses with similar functions are paid! And, as a result of their paid nature, they have a rather limited audience, which means that only a small number of them get into the rating of site evaluation!
So I found a better solution for myself. It's called Web Of Trust.
Web Of Trust free service site reliability assessments.
Principle of operation
In fact, this is a special gadget for the browser, which, when opened, new page near address bar shows its rating in the form of a colored emblem. (It can be colored from bright green to bright red) And the greener the emblem (an indicator of the site's trustworthiness, if you will), the safer the site. And vice versa - if the icon turns red - something is wrong with this site ...
And download it by clicking on the red button on the right. I will also attach a short instruction in pictures for installing the plugin in Internet Explorer:
