Locked Suhosin - advanced protection system for PHP

[sQuo]

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Suhosin is an advanced protection system for PHPinstallations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

 

 

Unlike the PHP Hardening-Patch Suhosin is binary compatible to normal PHP installation, which means it is compatible to 3rd party binary extension like ZendOptimizer.

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

 

[spoiler=Feature List]Engine Protection (only with patch)

 

Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection

 

Protects Destructors of Zend Hashtables

 

Protects Destructors of Zend Linked-Lists

 

Protects the PHP core and extensions against format string vulnerabilities

 

Protects against errors in certain libc realpath() implementations

 

Misc Features

 

Protection Simulation mode :!:

 

Adds the functions sha256() and sha256_file() to the PHP core

 

Adds support for CRYPT_BLOWFISH to crypt() on all platforms

 

Transparent protection of open phpinfo() pages

 

EXPERIMENTAL SQL database user protection

 

Runtime Protection

 

Transparent Cookie Encryption :!:

 

Protects against different kinds of (Remote-)Include Vulnerabilities

disallows Remote URL inclusion (optional: black-/whitelisting)

disallows inclusiong of uploaded files

optionally stops directory traversal attacks

 

Allows disabling the preg_replace() /e modifier

 

Allows disabling eval()

 

Protects against infinite recursion through a configureabel maximum execution depth

 

Supports per Virtual Host / Directory configureable function black- and whitelists

 

Supports a separated function black- and whitelist for evaluated code

 

Protects against HTTP Response Splitting Vulnerabilities

 

Protects against scripts manipulating the memory_limit

 

Protects PHP‘s superglobals against extract() and import_request_vars()

 

Adds protection against newline attacks to mail()

 

Adds protection against \0 attack on preg_replace()

 

Session Protection

 

Transparent encryption of session data :!:

 

Transparent session hijacking protection :!:

 

Protection against overlong session identifiers

 

Protection against malicious chars in session identifiers

 

Filtering Features

 

Filters ASCIIZ characters from user input

 

Ignores GET, POST, COOKIE variables with the following names:

GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST

_SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS

HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES

HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS

 

Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)

Supports a number of variables per request limit

Supports a maximum length of variable names [with and without indicies]

Supports a maximum length of array indicies

Supports a maximum length of variable values

Supports a maximum depth of arrays

 

Allows only a configureable number of uploaded files

 

Supports verification of uploaded files through an external script

 

Supports automatic banning of uploaded ELF executables

 

Supports automatic banning of uploaded binary files

 

Supports automatic stripping of binary content in uploaded files

 

Configureable action on violation

just block violating variables

send HTTP response code

redirect the browser

execute another PHP script

 

Logging Features

 

Supports multiple log devices (syslog, SAPI module error log, external logging script)

 

Supports freely configureable syslog facility and priority

 

Supports log device separated selection of alert types to log

 

Alerts contain filename and linenumber that triggered it

 

Alerts contain the IP address of the user triggering it

 

The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)