These are the slides to a talk I gave at the Berlin PHP Usergroup on the 7th of February, 2012.
PHP’s safety net
PHP since php/ﬁ
Open Source (github.com/till)
A BOOK ON
• up until PHP 5.1.6 (Not binary-compatible.)
• engine protection (buffer overﬂows, format string attacks)
• runtime protection (remote include exploits, function black- and whitelists, ...)
• ﬁlters (ﬁltering input, request vars, limits, upload ﬁle protection)
• logging with alerts (where, when) to syslog, error_log, external scripts
•conﬁguration (global and user-speciﬁc)
BY STEFAN ESSER
•A patch (engine protection)
•A PHP extension (runtime, ﬁlters, logging, conﬁguration)
•Use one, or both!
•For PHP up to 5.3.9
•Compatible with 3rd-party-extension!
WHAT IS SUHOSIN
All steps are available online.
• Requires “root”.
• Patch if you build your own PHP. (run make test)
• Extension installs like any other. (but without pecl)
• Not a PHP-only problem! (Yay node.js, yay Java!)
• Overload/crash any server by making it process 1000s of
entries in a list.
• Try $_POST or $_REQUEST! (Works up to PHP 5.3.8)
• PHP 5.3.9 was released to “ﬁx” HASH DOS.
• New directive max_input_vars!
• New vulnerability in max_input_vars!
• All backports are vulnerable.
• PHP 5.3.10?
Fool me once, don’t fool me twice.
LIFE COULD BE EASY
Suhosin ﬁxed HASH DOS a long time ago.
Four conﬁguration settings is all it takes.
• Suhosin offers plenty of work-arounds
• “Quick-ﬁxes” to current issues
• Test your application with suhosin.simulation
• More maintenance. (Patching PHP sucks. Building custom extensions also – kind of.)
• Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.)
• Lots of drama.
• Please (, please, please) update your PHP.
• Run your test suite against release candidates and betas.
• Report bugs, and send patches.