Primary Use Case

This tool is designed for PHP developers, system administrators, and security professionals who want to quickly assess the security posture of their PHP configuration (php.ini). It is useful for identifying insecure PHP settings and ensuring best practices are followed to reduce attack surfaces in web applications.

Key Features

Single-file script for easy distribution and deployment

Checks common security-related php.ini settings and other relevant tests

Supports both CLI and web-based usage with multiple output formats (text, HTML, JSON)

Minimal dependencies and no complex code structures for easy understanding

Built-in safeguards to restrict access and limit exposure of sensitive configuration data

Compatibility with PHP versions >= 5.0, ideally >= 5.4

Configurable output and access controls via environment variables and URL parameters

Insights & Recommendations

This tool only assesses PHP configuration security and does not guarantee overall application security. It is recommended to restrict web access to the script using IP whitelisting or SSH port forwarding. The script disables itself in web mode after two days by default to reduce exposure, which can be overridden if needed. Some PHP functions must be enabled for accurate checks, so ensure ini_get() and stat() are not disabled. The tool is designed to be simple and transparent, making it suitable even for novices.

Usage

php phpconfigcheck.php

Run the configuration check from the command line with default output

php phpconfigcheck.php -a

Run the check and show hidden results as well

php phpconfigcheck.php -h

Output results in HTML format from CLI

php phpconfigcheck.php -j

Output results in JSON format from CLI

Access phpconfigcheck.php via web browser

Run the check through a webserver with HTML output by default

phpconfigcheck.php?showall=1

Show all test results including skipped, ok, and unknown in web mode

phpconfigcheck.php?format=text|html|json

Specify output format explicitly in web mode (text, HTML, or JSON)

Set environment variable PCC_OUTPUT_TYPE=text|json

Change default output format in web mode via environment variable

Set environment variable PCC_DISABLE_MTIME=1

Disable the built-in two-day expiry safeguard for web mode

Set environment variable PCC_ALLOW_IP=<IP or pattern>

Allow non-localhost IP addresses to access the web interface

Smart Usage Notes

Integrate this tool into CI/CD pipelines to automate PHP configuration security checks before deployment.Use as a baseline scanner to enforce secure PHP configurations across development and production environments.Combine with runtime application self-protection (RASP) tools to enhance detection of misconfigurations exploited at runtime.Leverage output in JSON format for integration with centralized logging and SIEM platforms for continuous monitoring.Employ access control safeguards (IP restrictions and mtime checks) to minimize exposure of sensitive configuration data.

OpenSec Atlas

pcc

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like