SUHOSIN - PHP's safety net

Transcript

1. 수호신

2. SUHOSIN PHP’s safety net

3. Till Klampäckel PHP since php/fi EasyBib.com Open Source (github.com/till)

4. A BOOK ON COUCHDB http://www.couchdb-book.com

5. • up until PHP 5.1.6 (Not binary-compatible.) • engine protection

   (buffer overflows, format string attacks) • runtime protection (remote include exploits, function black- and whitelists, ...) • filters (filtering input, request vars, limits, upload file protection) • logging with alerts (where, when) to syslog, error_log, external scripts •configuration (global and user-specific) HARDENING-PATCH BY STEFAN ESSER

6. •A patch (engine protection) •A PHP extension (runtime, filters, logging,

   configuration) •Use one, or both! •For PHP up to 5.3.9 •Compatible with 3rd-party-extension! WHAT IS SUHOSIN

7. SETUP All steps are available online. http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html • Requires “root”.

   • Patch if you build your own PHP. (run make test) • Extension installs like any other. (but without pecl)

8. • Not a PHP-only problem! (Yay node.js, yay Java!) •

   CVE-2011-4885 • Overload/crash any server by making it process 1000s of entries in a list. • Try $_POST or $_REQUEST! (Works up to PHP 5.3.8) HASH DOS

9. UPDATE? • PHP 5.3.9 was released to “fix” HASH DOS.

   • New directive max_input_vars! • Profit?

10. PHP 5.3.9 • New vulnerability in max_input_vars! • All backports

    are vulnerable. • PHP 5.3.10?

11. MAYBE. :) Fool me once, don’t fool me twice.

12. LIFE COULD BE EASY Suhosin fixed HASH DOS a long

    time ago. suhosin.post.max_vars suhosin.request.max_vars suhosin.post.max_value_length suhosin.request.max_value_length Four configuration settings is all it takes.

13. SUMMARY? • Suhosin offers plenty of work-arounds • “Quick-fixes” to

    current issues • Prevention • Test your application with suhosin.simulation

14. DRAWBACKS • More maintenance. (Patching PHP sucks. Building custom extensions

    also – kind of.) • Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.) • Lots of drama.

15. BUT WAIT • Please (, please, please) update your PHP.

    • Run your test suite against release candidates and betas. • Report bugs, and send patches. • Contribute.

16. FIN http://till.klampaeckel.de/blog @klimpong