SUHOSIN - PHP's safety net

SUHOSIN - PHP's safety net

These are the slides to a talk I gave at the Berlin PHP Usergroup on the 7th of February, 2012.


Till Klampaeckel

February 08, 2012


  1. 수호신

  2. SUHOSIN PHP’s safety net

  3. Till Klampäckel PHP since php/fi Open Source (


  5. • up until PHP 5.1.6 (Not binary-compatible.) • engine protection

    (buffer overflows, format string attacks) • runtime protection (remote include exploits, function black- and whitelists, ...) • filters (filtering input, request vars, limits, upload file protection) • logging with alerts (where, when) to syslog, error_log, external scripts •configuration (global and user-specific) HARDENING-PATCH BY STEFAN ESSER
  6. •A patch (engine protection) •A PHP extension (runtime, filters, logging,

    configuration) •Use one, or both! •For PHP up to 5.3.9 •Compatible with 3rd-party-extension! WHAT IS SUHOSIN
  7. SETUP All steps are available online. • Requires “root”.

    • Patch if you build your own PHP. (run make test) • Extension installs like any other. (but without pecl)
  8. • Not a PHP-only problem! (Yay node.js, yay Java!) •

    CVE-2011-4885 • Overload/crash any server by making it process 1000s of entries in a list. • Try $_POST or $_REQUEST! (Works up to PHP 5.3.8) HASH DOS
  9. UPDATE? • PHP 5.3.9 was released to “fix” HASH DOS.

    • New directive max_input_vars! • Profit?
  10. PHP 5.3.9 • New vulnerability in max_input_vars! • All backports

    are vulnerable. • PHP 5.3.10?
  11. MAYBE. :) Fool me once, don’t fool me twice.

  12. LIFE COULD BE EASY Suhosin fixed HASH DOS a long

    time ago. suhosin.request.max_vars suhosin.request.max_value_length Four configuration settings is all it takes.
  13. SUMMARY? • Suhosin offers plenty of work-arounds • “Quick-fixes” to

    current issues • Prevention • Test your application with suhosin.simulation
  14. DRAWBACKS • More maintenance. (Patching PHP sucks. Building custom extensions

    also – kind of.) • Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.) • Lots of drama.
  15. BUT WAIT • Please (, please, please) update your PHP.

    • Run your test suite against release candidates and betas. • Report bugs, and send patches. • Contribute.
  16. FIN @klimpong