Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SUHOSIN - PHP's safety net

Till Klampaeckel
February 08, 2012
Programming
2
310

SUHOSIN - PHP's safety net

These are the slides to a talk I gave at the Berlin PHP Usergroup on the 7th of February, 2012.

Till Klampaeckel

February 08, 2012
Tweet

More Decks by Till Klampaeckel

See All by Till Klampaeckel
Using & Extending Composer
till
6
690
Extending Composer
till
2
790
Jimdo Tech Talk: The evolution of deployment
till
0
93
Managing remote teams
till
4
220
EasyBib & Cloudant
till
1
570
Collecting Metrics
till
3
540
nano
till
1
310

Other Decks in Programming

See All in Programming
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
360
元気予報
suu_mire0726
0
860
App Router への移行は「改善」となり得るのか?/ Can migration to App Router be an improvement
takefumiyoshii
8
2.1k
スクラムチームと認知負荷 - ニフティのスクラムトーク Vol2. / NIFTY Tech Talk #18
niftycorp
PRO
1
120
코틀린으로 멀티플랫폼 만들기
pangmoo
0
120
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
490
puregoの活用例
aethiopicuschan
0
220
甘い香りに誘われてVanilla Extractを1年間運用してみた
miyahkun
1
110
スクラムガイドのスプリントレトロスペクティブを改めて読みかえしてみた / Re-reading the Sprint Retrospective Section in the Scrum Guide
mackey0225
3
330
ゆるい個人開発のススメ
kuroppe1819
10
950
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
250
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
190

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.4k
Unsuck your backbone
ammeep
662
57k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
The Pragmatic Product Professional
lauravandoore
24
5.8k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
154
14k
Embracing the Ebb and Flow
colly
79
4.1k
Faster Mobile Websites
deanohume
297
30k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
273
13k
Documentation Writing (for coders)
carmenintech
59
3.9k
Designing Experiences People Love
moore
136
23k

Transcript

  1. 수호신

  2. SUHOSIN PHP’s safety net

  3. Till Klampäckel PHP since php/fi EasyBib.com Open Source (github.com/till)

  4. A BOOK ON COUCHDB http://www.couchdb-book.com

  5. • up until PHP 5.1.6 (Not binary-compatible.) • engine protection

    (buffer overflows, format string attacks) • runtime protection (remote include exploits, function black- and whitelists, ...) • filters (filtering input, request vars, limits, upload file protection) • logging with alerts (where, when) to syslog, error_log, external scripts •configuration (global and user-specific) HARDENING-PATCH BY STEFAN ESSER

  6. •A patch (engine protection) •A PHP extension (runtime, filters, logging,

    configuration) •Use one, or both! •For PHP up to 5.3.9 •Compatible with 3rd-party-extension! WHAT IS SUHOSIN

  7. SETUP All steps are available online. http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html • Requires “root”.

    • Patch if you build your own PHP. (run make test) • Extension installs like any other. (but without pecl)

  8. • Not a PHP-only problem! (Yay node.js, yay Java!) •

    CVE-2011-4885 • Overload/crash any server by making it process 1000s of entries in a list. • Try $_POST or $_REQUEST! (Works up to PHP 5.3.8) HASH DOS

  9. UPDATE? • PHP 5.3.9 was released to “fix” HASH DOS.

    • New directive max_input_vars! • Profit?

  10. PHP 5.3.9 • New vulnerability in max_input_vars! • All backports

    are vulnerable. • PHP 5.3.10?

  11. MAYBE. :) Fool me once, don’t fool me twice.

  12. LIFE COULD BE EASY Suhosin fixed HASH DOS a long

    time ago. suhosin.post.max_vars suhosin.request.max_vars suhosin.post.max_value_length suhosin.request.max_value_length Four configuration settings is all it takes.

  13. SUMMARY? • Suhosin offers plenty of work-arounds • “Quick-fixes” to

    current issues • Prevention • Test your application with suhosin.simulation

  14. DRAWBACKS • More maintenance. (Patching PHP sucks. Building custom extensions

    also – kind of.) • Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.) • Lots of drama.

  15. BUT WAIT • Please (, please, please) update your PHP.

    • Run your test suite against release candidates and betas. • Report bugs, and send patches. • Contribute.

  16. FIN http://till.klampaeckel.de/blog @klimpong