The end of Suhosin; what is next?
Sok éven át, Buzgón használtam Suhosin a PHP5 bármely implementációjával Apache2 vagy PHP-FPM Nginx webszervereken az SQL-injektálás és más gyakori webes támadások elleni védelem érdekében. Valójában, A PHP5 annyira katasztrofális volt, mind az alapvető biztonság szempontjából, és olyan funkciói és moduljai, amelyeket soha nem tudtam volna elképzelni a Suhosin által biztosított jelentős keményítés nélkül.
Mivel a PHP5 leértékelődik, és a régi programjaim mind eltűntek, A PHP7 több implementációja maradt, és nincs elérhető Suhosin javítás.
Bár, technikailag még mindig lehetséges a Suhosin hozzáadása a PHP-hez 7.0 and 7.1 (pre-alpha – nem gyártásra), nyugodtan kijelenthetjük, hogy a projekt már régen eltűnt, és a PHP7 már bebizonyította, hogy zavaró lehet mintha az elődje lenne. Mivel a WAF új kiegészítésére és a PHP7 alapvető biztonságára gondolok, ezek azok a megoldások, amelyekkel jöttem:
Disabling Bad or Unnecessary Functions
There are many risky functions built inside the PHP that are potentially dangerous and should be disabled inside ‘php.ini’ by default. You can find the config file using the below command and disable the functions via vi or nano.
php -i | grep "php.ini"PLEASE NOTE: If you are running various versions of PHP simultaneously or the program is installed as part of another third-party application, then the chances are high that you have multiple ‘php.ini’ installed and it is not clear which one is loaded by the webserver. Make sure that you are editing the correct version (php -v).
Add the below line at the end of ‘php.ini’ file, make sure that you saved the file, and restart the webserver. You can learn about each of these PHP functions at this address. As a measured action, you may want to add them one by one to make sure that it does not negatively affect your applications.
disable_functions = popen, eval, leak, exec, shell_exec, curl_exec, curl_multi_exec, parse_ini_file, mysql_connect, system, phpinfo, escapeshellarg, escapeshellcmd, passthru, symlink, show_source, mail, sendmail, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuidDisabling Register Globals and Base64
Register Global is a function by PHP that allows input arrays to the URL to be converted to variable inside your code. Therefore, any potentially vulnerable code can be exploited by an attacker who can pass malicious arrays using HTTP GET or POST requests.
Register Globals can be easily disabled by adding the below line at the end of ‘php.ini’. Do not forget to restart the webserver to execute the changes.
register_globals = OffJust like Register Globals, Base64 is another often unnecessary feature that open the door into malicious back-doors. You can disable Base64 decoder permanently by adding the below line to the end of ‘php.ini’.
base64_decode = OffPost Disclaimer
The views, information, or opinions expressed are solely those of the author and do not necessarily represent those of his employer or the organizations with which he is affiliated.
The information contained in this post is for general information purposes only. The information is provided by Farhad Mofidi and while he strives to keep the information current and accurate, he does not make any representations or warranties of any kind, express or implied, regarding the completeness, accuracy, reliability, suitability or availability of the website. Farhad makes no representations or warranties. or any information, products or related graphics contained in any Post for any purpose.
Also, AI may be employed as a tool to provide suggestions and improve some of the contents or sentences. The ideas, thoughts, opinions, and final products are original and human-made by the author.