PCI Compliance tips and tricks for the Apache web server with PHP.
- PHP Expose
- Debug Functions
- Auto Index
- Etags
- SSL Cipher
- SSL Protocol
PHP Expose: PCI Compliance Score = 5
Php is typically exposed automatically on most default web server installations. This enables one to access Easter egg code that may be built into the language. For an example of an Easter egg, read here.
Solution: Edit your php.ini file and set the variable php_expose to off.
Apache Debug Functions: PCI Compliance Score = 4
The Apache web server default configuration uses the Trace debug function. Malicious web site can cause a user to reveal confidential or sensitive information through a specially crafted link to the vulnerable server. This works because the the TRACE request method causes the server to simply echo a HTTP request back to the client unchanged.
Solution: Disable the TRACE functions on the web server. Edit the Apache httpd.conf file and add 'TraceEnable off' to it.
Apache AutoIndex: PCI Compliance Score = 8
The Apache server can auto index directory listings when there are no index.php and index.html files in place. This shows the directory structure of the website and can cause the exposure of sensitive website files.
Solution: Disable the autoindex by setting the minus flag to your Option settings.
Ex. Options -Indexes
This can be done server-wide or with a single, virtual host.
Etags: CVE Vulnerability -PCI Complaince Score = 6
The Apache web server has Etags support built into the core. Unfortunately by default, it exposes Inode numbers. This can expose sensitive file system data.
Solution: Set the Etags to not display Inode numbers. This is done by adding the following line into your httpd.conf.
FileETag -INode MTime Size
Once added, you will need to restart the web server.
SSL Cipher: PCI Compliance Score = 4
Many web servers are compatible with older encryption ciphers. This unfortunately leads to weak security which can be compromised by a attacker.
Solution: Only allow the cipher's which have no known weakness. Edit your Apache SSL configuration to include:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!MEDIUM:RC4+RSA:+HIGH
This ensures that only the strongest ciphers are allowed to run.
SSL Protocol: PCI Compliance Score = 4
Several versions of the SSL protocol are in wide spread use today. All versions except SSL3 and TLS1 have known weakness and should not be used.
Add:
SSLProtocol -ALL +SSLv3 +TLSv1 to your Apache SSL configuration to ensure the older protocols are not allowed.
Note: PCI Security Scores are based off a scale of 1 -10 with anything over 4 causing a failure. Different company's may provide different scores for the same issues. Please check with your vendor for a complete list.