Thursday, April 24, 2014

How to configure CURL command to access website with SSL configured?

To check my server has "PHP expose_php Information Disclosure" vulnerability, basically I can check the php.ini file for "expose_php" parameter and turn it off will do. But this doesn't provide me a proof that I has fixed this issue.

I use "curl -I https://[website]" command to retrieve the header of the website to check whether PHP information is included in the header and I encountered this error because SSL is being turned on at my website.

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

To fix this problem, I download the certification provider file from "http://curl.haxx.se/ca/cacert.pem" and rename it to become "curl-ca-bundle.crt". Put this file in the same folder as your curl.exe or C:\windows\system32 folder, run "curl -I https://[website]" command again, you will be able to get details as described below
HTTP/1.1 200 OK
Date: Thu, 24 Apr 2014 07:48:22 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=lim3eoqjrs75cnn72tk2pdp910; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: SMP_PERMAUTH=deleted; expires=Wed, 24-Apr-2013 07:48:21 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

Through the details as described above, "X-Powered-By: PHP/5.3.3" prove that "expose_php" parameter has not turned off.