{"id":13669420,"url":"https://github.com/sektioneins/pcc","last_synced_at":"2025-04-27T04:32:56.162Z","repository":{"id":19659394,"uuid":"22912441","full_name":"sektioneins/pcc","owner":"sektioneins","description":"PHP Secure Configuration Checker","archived":false,"fork":false,"pushed_at":"2024-04-11T14:37:40.000Z","size":533,"stargazers_count":814,"open_issues_count":6,"forks_count":135,"subscribers_count":58,"default_branch":"master","last_synced_at":"2024-08-02T08:08:10.806Z","etag":null,"topics":["configuration","php","security"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sektioneins.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-08-13T10:53:58.000Z","updated_at":"2024-07-17T01:17:54.000Z","dependencies_parsed_at":"2024-08-02T08:14:56.390Z","dependency_job_id":null,"html_url":"https://github.com/sektioneins/pcc","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sektioneins%2Fpcc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sektioneins%2Fpcc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sektioneins%2Fpcc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sektioneins%2Fpcc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sektioneins","download_url":"https://codeload.github.com/sektioneins/pcc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224060290,"owners_count":17248982,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["configuration","php","security"],"created_at":"2024-08-02T08:01:12.943Z","updated_at":"2024-11-11T06:30:20.859Z","avatar_url":"https://github.com/sektioneins.png","language":"PHP","funding_links":[],"categories":["PHP"],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.com/sektioneins/pcc.svg?branch=master)](https://travis-ci.com/sektioneins/pcc)\n\nPHP Secure Configuration Checker\n================================\n\nCheck current PHP configuration for potential security flaws.\n\nSimply access this file from your webserver or run on CLI.\n\nAuthor\n------\nThis software was written by Ben Fuhrmannek, [SektionEins GmbH](https://sektioneins.de/), in an effort to automate php.ini checks and spend more time on cheerful tasks.\n\nIdea\n----\n\n* one single file for easy distribution\n* simple tests for each security related ini entry\n* a few other tests - not too complicated though\n* compatible with PHP \u003e= 5.4, or if possible \u003e= 5.0\n* NO complicated/overengineered code, e.g. no classes/interfaces, test-frameworks, libraries, ... -\u003e It is supposed to be obvious on first glance - even for novices - how this tool works and what it does!\n* NO (or very few) dependencies\n\nUsage / Installation\n--------------------\n\n* **CLI**: Simply call `php phpconfigcheck.php`. That's it. Add `-a` to see hidden results as well, `-h` for HTML output and `-j` for JSON output.\n\n* **WEB**: Copy this script to any directory accessible by your webserver, e.g. your document root. See also 'Safeguards' below.\n\n  The output in non-CLI mode is HTML by default. This behaviour can be changed by setting the environment variable  `PCC_OUTPUT_TYPE=text` or `PCC_OUTPUT_TYPE=json`.\n\n  Some test cases are hidden by default, specifically skipped, ok and unknown/untested. To show all results, use `phpconfigcheck.php?showall=1`. This does not apply to JSON output, which returns all results by default.\n\n  To control the output format in WEB mode use `phpconfigcheck.php?format=...`, where the value of `format` maybe one of `text`, `html` or `json`. For example: `phpconfigcheck.php?format=text`. The `format` parameter takes precedence over PCC_OUTPUT_TYPE.\n\nSafeguards\n----------\n\nMost of the time it is a good idea to keep security related issues such as your PHP configuration to yourself. The following safeguards have been implemented:\n\n* **mtime check**: This script stops working in non-CLI mode after two days. Re-arming the check can be done by `touch phpconfigcheck.php` or by copying the script to your server again (e.g. via SCP). This check can be disabled by setting the environment variable: `PCC_DISABLE_MTIME=1`, e.g. `SetEnv PCC_DISABLE_MTIME 1` in apache's `.htaccess`.\n\n* **source IP check**: By default only localhost (127.0.0.1 and ::1) can access this script. Other hosts may be added by setting `PCC_ALLOW_IP` to a your IP address or a wildcard pattern, e.g. `SetEnv PCC_ALLOW_IP 10.0.0.*` in `.htaccess`. You may also choose to access your webserver via SSH Port forwarding, e.g. `ssh -D` or `ssh -L`.\n\nTroubleshooting\n---------------\n\n* **disabled functions:** This scripts needs a few functions to work properly, such as `ini_get()` and `stat()`. If one of these functions is blacklisted (or not whitelisted) then execution will fail or produce invalid output. In these cases it is possible to _temporarily_ put Suhosin in simulation mode and omit disable_functions. To be on the safe side, relaxed security configuration can be done with .htaccess in a separate directory. Also, this script may be called from command line with your webserver's configuration, e.g. `php -n -c /etc/.../php.ini phpconfigcheck.php`.\n\n* **CLI:** Older PHP versions don't known about SAPI name 'cli' and use CGI style output even on cli. Workaround: `PCC_OUTPUT_TYPE=text /opt/php/php-5.1.6/bin/php phpconfigcheck.php`\n\nWARNING\n-------\n\nThis tool will only support you setting up a secure PHP environment.\nNothing else. Your setup, software or any related configuration may still\nbe vulnerable, even if this tool's output suggests otherwise.\n\nNotes\n-----\n\n* For copyright and license information, see phpconfigcheck.php and the LICENSE file.\n* Issues, comments, enhancements? Please use the Github issue tracker:\n  https://github.com/sektioneins/pcc/issues\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsektioneins%2Fpcc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsektioneins%2Fpcc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsektioneins%2Fpcc/lists"}