• up until PHP 5.1.6 (Not binary-compatible.) • engine protection (buffer overflows, format string attacks) • runtime protection (remote include exploits, function black- and whitelists, ...) • filters (filtering input, request vars, limits, upload file protection) • logging with alerts (where, when) to syslog, error_log, external scripts •configuration (global and user-specific) HARDENING-PATCH BY STEFAN ESSER
•A patch (engine protection) •A PHP extension (runtime, filters, logging, configuration) •Use one, or both! •For PHP up to 5.3.9 •Compatible with 3rd-party-extension! WHAT IS SUHOSIN
SETUP All steps are available online. http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html • Requires “root”. • Patch if you build your own PHP. (run make test) • Extension installs like any other. (but without pecl)
• Not a PHP-only problem! (Yay node.js, yay Java!) • CVE-2011-4885 • Overload/crash any server by making it process 1000s of entries in a list. • Try $_POST or $_REQUEST! (Works up to PHP 5.3.8) HASH DOS
LIFE COULD BE EASY Suhosin fixed HASH DOS a long time ago. suhosin.post.max_vars suhosin.request.max_vars suhosin.post.max_value_length suhosin.request.max_value_length Four configuration settings is all it takes.
DRAWBACKS • More maintenance. (Patching PHP sucks. Building custom extensions also – kind of.) • Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.) • Lots of drama.
BUT WAIT • Please (, please, please) update your PHP. • Run your test suite against release candidates and betas. • Report bugs, and send patches. • Contribute.