Kawg ntawm Suhosin; Dab tsi ntxiv?
Tau ntau xyoo, Kuv kub siab lug kub siab lug siv Suhosin Nrog tej kev siv phP5 rau Apache2 los yog PHP-FPM Nginx webservers cug tiv thaiv SQL txhaj thiab lwm hom web tuaj. Qhov tseeb, PHP5 yog li disastrous, Ob leeg ntawd nws cov tub ntxhais ruaj ntseg, Thiab nws cov functions thiab modules tias kuv yuav muaj yeej tsis conceived siv nws tsis muaj teeb meem hardening tias Suhosin muab.
Raws li PHP5 yog depreciated thiab kuv txojsia programs yog tag nrho ncaim, Kuv tshuav nrog ob peb siv phP7 thiab tsis muaj Suhosin patches.
Txawm, Nws tseem technically tau ntxiv Suhosin rau PHP 7.0 Thiab 7.1 (ua ntej alpha – tsis tau ntau lawm), Nws yog ncaj ncees hais tias peb tes num tau ntev lawm ncaim thiab PHP7 twb proved tias nws yuav muaj teeb meem zoo nraug Zoo li nws yog nws predecessor. Raws li kuv xav txog ib tug tshiab ntxiv rau lub WAF thiab tub ntxhais ruaj ntseg ntawm PHP7, Cov no yog ib co kua tshuaj kuv tuaj nrog:
Disabling phem los yog Ruaj Functions
Muaj ntau txoj kev ua tau nyob rau hauv lub PHP uas yog uas yus thiab yuav tsum tau xiam oob khab hauv 'php.ini' los ntawm default. Koj yuav nrhiav tau cov ntaub ntawv config siv cov lus hauv qab no command thiab disable cov functions ntawm vi los yog nano.
php -i | grep "php.ini"Thov nco ntsoov: Yog hais tias koj khiav ntau versions ntawm PHP simultaneously los yog qhov kev pab cuam yog ntsia ua ib feem ntawm lwm tog thib peb tog daim ntawv thov, Ces qhov uas yuav muaj ntau yam 'php.ini' ntsia thiab nws yuav tsis tseeb uas yog loaded los ntawm lub webserver. Xyuas kom koj yog editing qhov tseeb version (php-v).
Ntxiv cov kab hauv qab no kawg ntawm 'php.ini' ntaub ntawv, xyuas kom koj rua cov ntaub ntawv, thiab restart lub webserver. Koj yuav kawm tau txog txhua yam phP functions chaw nyob no. Ua ib yam kev ntsuas tes hauj lwm, Tej zaum koj yuav xav ntxiv rau ib tug los ntawm ib tug kom paub tseeb tias nws tsis zoo rau koj daim ntawv thov.
disable_functions = popen, eval, leak, exec, shell_exec, curl_exec, curl_multi_exec, parse_ini_file, mysql_connect, system, phpinfo, escapeshellarg, escapeshellcmd, passthru, symlink, show_source, mail, sendmail, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuidDisabling Register Globals thiab Base64
Sau npe ntiaj teb no yog ib tug muaj nuj nqi los phP uas tso cai input arrays rau lub URL yuav tau txia mus variable hauv koj code. Yog li ntawd, vim, Tej yam lam tau lam ua code yuav exploited los ntawm ib attacker uas yuav kis tau malicious arrays siv HTTP TAU los yog NCEJ thov.
Sau npe ntiaj teb no yuav yooj yim xiam oob qhab los ntxiv cov kab hauv qab no kawg ntawm 'php.ini'. Tsis txhob hnov qab txog restart lub webserver los execute cov kev hloov.
register_globals = OffIb yam li register Globals, Base64 yog lwm feem ntau ruaj feature uas qhib lub qhov rooj rau malicious back-doors. Koj yuav disable Base64 decoder zwm los ntxiv cov kab hauv qab no xaus rau 'php.ini'.
base64_decode = OffPost Disclaimer
The views, information, or opinions expressed are solely those of the author and do not necessarily represent those of his employer or the organizations with which he is affiliated.
The information contained in this post is for general information purposes only. The information is provided by Farhad Mofidi and while he strives to keep the information current and accurate, he does not make any representations or warranties of any kind, express or implied, regarding the completeness, accuracy, reliability, suitability or availability of the website. Farhad makes no representations or warranties. or any information, products or related graphics contained in any Post for any purpose.
Also, AI may be employed as a tool to provide suggestions and improve some of the contents or sentences. The ideas, thoughts, opinions, and final products are original and human-made by the author.