Deploying AcuSensor for PHP

Before deploying AcuSensor, note the list of supported servers and frameworks.

πŸ” Supported Servers and Frameworks

PHP Language

  • 5.6.x
  • 7.x
  • 8.x

Application Frameworks

  • Laravel
  • Symfony
  • CodeIgniter
  • Yii
  • Zend v3
  • Slim v2, v3, v4
  • Smarty v3, v4

Web Servers

  • Apache
  • Nginx

Database Engines

  • MySQL
  • PostgreSQL
  • Microsoft SQL Server
  • DB2
  • Ingres
  • Oracle
  • FireBird/InterBase
  • Sybase
  • Mongo DB v2.6 or later, using Mongodb PHP Extension 1.3 or later

Package Manager

  • Composer

To deploy AcuSensor, you should keep in mind that the mechanism we need to use is to invoke the PHP directive "auto_prepend_file" and point this directive to the AcuSensor PHP file.

Deploying the AcuSensor agent is a 3 step process.

Step 1: Download AcuSensor for your Target

The instructions to download the AcuSensor agent file can be found here: https://www.acunetix.com/support/docs/installing-acusensor/.

Step 2: Copy the AcuSensor agent to the Target

For the purposes of this document, we will assume that we will be creating a dedicated folder inside the ROOT folder of your operating system to hold the AcuSensor agent.

  • Under Windows:
  • Create a folder "C:\acusensor\"
  • Copy the acusensor.php file into "C:\acusensor\"
  • Under Linux:
  • Run the following command: mkdir /acusensor/
  • Use "cd" to navigate to the folder which contains your downloaded AcuSensor agent file and run the following command: cp acusensor.php /acusensor/

Step 3: Configure your web server to invoke the "auto_prepend_file" directive

  • Under Windows with IIS:
  • Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:

auto_prepend_file="c:\acusensor\acusensor.php"

  • Under Windows with Apache:
  • Option 1: add this line to the .htaccess file in the root folder of your website:

php_value auto_prepend_file C:\acusensor\acusensor.php

  • Option 2: Identify the php.ini file which contains the PHP directives for your website. In a 64-BIT "wampserver" installation, typically the file to be edited would be "C:\wamp64\bin\php\php7.3.12\phpForApache.ini". Add this line to the file:

auto_prepend_file="c:\acusensor\acusensor.php"

  • Under Linux with Apache:
  • Option 1: add this line to the .htaccess file in the root folder of your website:

php_value auto_prepend_file /acusensor/acusensor.php

  • Option 2: Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:

auto_prepend_file = /acusensor/acusensor.php

  • Under Linux with NGINX:
  • Option 1: Identify your NGINX conf file (eg /etc/nginx/sites-enabled/mysite.conf), and in the section for "location ~ \.php$", add a line as follows:

fastcgi_param PHP_VALUE "auto_prepend_file = /acusensor/acusensor.php";

  • Option 2: Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:

auto_prepend_file = /acusensor/acusensor.php

Where is my general php.ini file?

Temporarily create a simple PHP file with phpinfo(); - the "Loaded Configuration File" is the general php.ini file you will need to change.

Remember: You should ALWAYS remove any phpinfo() pages from your web application - the information disclosed by such a file is in itself a vulnerability, and provides malicious hackers with essential information with which to potentially craft an exploit targeting your web application.

Simple Docker Example for Apache + PHP + AcuSensor

Step 1: Prepare example website. For this single-page example, here are the contents of /home/myuser/www/index.php:

<?php echo "Hello World!"; ?>

<?php phpinfo(); ?>

Step 2: Configure loading of AcuSensor agent for the website; contents of /home/myuser/www/.htaccess:

php_value auto_prepend_file /var/www/mysite/acusensor.php

Step 3: Configure Apache configuration for the website: contents of /home/myuser/mysite-apache.conf:

<VirtualHost *:80>

Β  ServerAdmin me@mydomain.com

Β  DocumentRoot /var/www/mysite

Β  <Directory /var/www/mysite/>

Β  Β  Β  Options Indexes FollowSymLinks MultiViews

Β  Β  Β  AllowOverride All

Β  Β  Β  Order deny,allow

Β  Β  Β  Allow from all

Β  </Directory>

Β  ErrorLog ${APACHE_LOG_DIR}/error.log

Β  CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Step 4: Place the acusensor.php file in /home/myuser/www

Step 5: Configure the Dockerfile for building the container: contents of /home/myuser/Dockerfile:

FROM ubuntu:latest

MAINTAINER Kevin Attard Compagno <kac@acunetix.com>

# Install apache, PHP

RUN apt-get update

RUN apt-get -y upgrade

RUN DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 php libapache2-mod-php

# Expose apache

EXPOSE 80

# Copy website and AcuSensor agent into place

COPY www /var/www/mysite

# Update the default apache site with the website config

COPY mysite-apache.conf /etc/apache2/sites-enabled/000-default.conf

# Start up apache in the foreground

CMD /usr/sbin/apache2ctl -D FOREGROUND

Step 6: Build the container. Run the following commands from the docker machine:

cd /home/myuser

docker build -t mysite .

Uninstall AcuSensor

  • First you will need to reverse the changes made to your configuration files to invoke the "auto_prepend_file" directive
  • Next, remove the AcuSensor sensor file as follows:
  • Under Windows, remove the "C:\acusensor\acusensor.php" file and then remove the "C:\acusensor" folder
  • Under Linux, run the following command:
  • rm -rf /acusensor/

Note: Although Acunetix AcuSensor files are secured with a unique strong built-in password, it is recommended that the AcuSensor files are uninstalled and removed from the web application if they are no longer in use.

 

Β« Back to the Acunetix Support Page