Uncl3 Blog's: PHP Suhosin

Manusia Tak Sempurna

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Feature List
Engine Protection (only with patch)

Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection
Protects Destructors of Zend Hashtables
Protects Destructors of Zend Linked-Lists
Protects the PHP core and extensions against format string vulnerabilities
Protects against errors in certain libc realpath() implementations

Misc Features

Protection Simulation mode
Adds the functions sha256() and sha256_file() to the PHP core
Adds support for CRYPT_BLOWFISH to crypt() on all platforms
Transparent protection of open phpinfo() pages
EXPERIMENTAL SQL database user protection

Runtime Protection

Transparent Cookie Encryption
Protects against different kinds of (Remote-)Include Vulnerabilities
disallows Remote URL inclusion (optional: black-/whitelisting), disallows inclusiong of uploaded files, optionally stops directory traversal attacks
Allows disabling the preg_replace() /e modifier
Allows disabling eval()
Protects against infinite recursion through a configureabel maximum execution depth
Supports per Virtual Host / Directory configureable function black- and whitelists
Supports a separated function black- and whitelist for evaluated code
Protects against HTTP Response Splitting Vulnerabilities
Protects against scripts manipulating the memory_limit
Protects PHP‘s superglobals against extract() and import_request_vars()
Adds protection against newline attacks to mail()
Adds protection against \0 attack on preg_replace()

Session Protection

Transparent encryption of session data
Transparent session hijacking protection
Protection against overlong session identifiers
Protection against malicious chars in session identifiers

Filtering Features

Filters ASCIIZ characters from user input
Ignores GET, POST, COOKIE variables with the following names:

GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
_SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS

Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)

Supports a number of variables per request limit
Supports a maximum length of variable names [with and without indicies]
Supports a maximum length of array indicies
Supports a maximum length of variable values
Supports a maximum depth of arrays

Allows only a configureable number of uploaded files
Supports verification of uploaded files through an external script
Supports automatic banning of uploaded ELF executables
Supports automatic banning of uploaded binary files
Supports automatic stripping of binary content in uploaded files
Configureable action on violation

just block violating variables
send HTTP response code
redirect the browser
execute another PHP script

Logging Features

Supports multiple log devices (syslog, SAPI module error log, external logging script)
Supports freely configureable syslog facility and priority
Supports log device separated selection of alert types to log
Alerts contain filename and linenumber that triggered it
Alerts contain the IP address of the user triggering it
The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)

0 Responses

Post a Comment

About Me

Labels

Blog Archive

Nine Tail's Blog

LinkedIn

Viewer's

Search

Followers