Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SUHOSIN - PHP's safety net

SUHOSIN - PHP's safety net

These are the slides to a talk I gave at the Berlin PHP Usergroup on the 7th of February, 2012.


Till Klampaeckel

February 08, 2012

More Decks by Till Klampaeckel

Other Decks in Programming


  1. 수호신

  2. SUHOSIN PHP’s safety net

  3. Till Klampäckel PHP since php/fi EasyBib.com Open Source (github.com/till)

  4. A BOOK ON COUCHDB http://www.couchdb-book.com

  5. • up until PHP 5.1.6 (Not binary-compatible.) • engine protection

    (buffer overflows, format string attacks) • runtime protection (remote include exploits, function black- and whitelists, ...) • filters (filtering input, request vars, limits, upload file protection) • logging with alerts (where, when) to syslog, error_log, external scripts •configuration (global and user-specific) HARDENING-PATCH BY STEFAN ESSER
  6. •A patch (engine protection) •A PHP extension (runtime, filters, logging,

    configuration) •Use one, or both! •For PHP up to 5.3.9 •Compatible with 3rd-party-extension! WHAT IS SUHOSIN
  7. SETUP All steps are available online. http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html • Requires “root”.

    • Patch if you build your own PHP. (run make test) • Extension installs like any other. (but without pecl)
  8. • Not a PHP-only problem! (Yay node.js, yay Java!) •

    CVE-2011-4885 • Overload/crash any server by making it process 1000s of entries in a list. • Try $_POST or $_REQUEST! (Works up to PHP 5.3.8) HASH DOS
  9. UPDATE? • PHP 5.3.9 was released to “fix” HASH DOS.

    • New directive max_input_vars! • Profit?
  10. PHP 5.3.9 • New vulnerability in max_input_vars! • All backports

    are vulnerable. • PHP 5.3.10?
  11. MAYBE. :) Fool me once, don’t fool me twice.

  12. LIFE COULD BE EASY Suhosin fixed HASH DOS a long

    time ago. suhosin.post.max_vars suhosin.request.max_vars suhosin.post.max_value_length suhosin.request.max_value_length Four configuration settings is all it takes.
  13. SUMMARY? • Suhosin offers plenty of work-arounds • “Quick-fixes” to

    current issues • Prevention • Test your application with suhosin.simulation
  14. DRAWBACKS • More maintenance. (Patching PHP sucks. Building custom extensions

    also – kind of.) • Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.) • Lots of drama.
  15. BUT WAIT • Please (, please, please) update your PHP.

    • Run your test suite against release candidates and betas. • Report bugs, and send patches. • Contribute.
  16. FIN http://till.klampaeckel.de/blog @klimpong