Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SUHOSIN - PHP's safety net

Till Klampaeckel
February 08, 2012
Programming
2
310

SUHOSIN - PHP's safety net

These are the slides to a talk I gave at the Berlin PHP Usergroup on the 7th of February, 2012.

Till Klampaeckel

February 08, 2012
Tweet

More Decks by Till Klampaeckel

See All by Till Klampaeckel
Using & Extending Composer
till
6
750
Extending Composer
till
2
860
Jimdo Tech Talk: The evolution of deployment
till
0
97
Managing remote teams
till
4
220
EasyBib & Cloudant
till
1
580
Collecting Metrics
till
3
540
nano
till
1
330

Other Decks in Programming

See All in Programming
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.1k
Kubernetes for Data Engineers: Building Scalable, Reliable Data Pipelines
sucitw
1
200
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
430
色々なIaCツールを実際に触って比較してみる
iriikeita
0
270
破壊せよ!データ破壊駆動で考えるドメインモデリング / data-destroy-driven
minodriven
16
4.1k
Kotlin2でdataクラスの copyメソッドを禁止する/Data class copy function to have the same visibility as constructor
eichisanden
1
130
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
920
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
0
150
推し活の ハイトラフィックに立ち向かう Railsとアーキテクチャ - Kaigi on Rails 2024
falcon8823
6
2.2k
Kaigi on Rails 2024 - Rails APIモードのためのシンプルで効果的なCSRF対策 / kaigionrails-2024-csrf
corocn
5
3.4k
Dev ContainersとGitHub Codespacesの素敵な関係
ymd65536
1
130

Featured

See All Featured
Building Adaptive Systems
keathley
38
2.2k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Fireside Chat
paigeccino
32
3k
Writing Fast Ruby
sferik
626
61k
Unsuck your backbone
ammeep
668
57k
Documentation Writing (for coders)
carmenintech
65
4.4k
Bash Introduction
62gerente
608
210k
Being A Developer After 40
akosma
86
590k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Making the Leap to Tech Lead
cromwellryan
132
8.9k
Done Done
chrislema
181
16k

Transcript

  1. 수호신

  2. SUHOSIN PHP’s safety net

  3. Till Klampäckel PHP since php/fi EasyBib.com Open Source (github.com/till)

  4. A BOOK ON COUCHDB http://www.couchdb-book.com

  5. • up until PHP 5.1.6 (Not binary-compatible.) • engine protection

    (buffer overflows, format string attacks) • runtime protection (remote include exploits, function black- and whitelists, ...) • filters (filtering input, request vars, limits, upload file protection) • logging with alerts (where, when) to syslog, error_log, external scripts •configuration (global and user-specific) HARDENING-PATCH BY STEFAN ESSER

  6. •A patch (engine protection) •A PHP extension (runtime, filters, logging,

    configuration) •Use one, or both! •For PHP up to 5.3.9 •Compatible with 3rd-party-extension! WHAT IS SUHOSIN

  7. SETUP All steps are available online. http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html • Requires “root”.

    • Patch if you build your own PHP. (run make test) • Extension installs like any other. (but without pecl)

  8. • Not a PHP-only problem! (Yay node.js, yay Java!) •

    CVE-2011-4885 • Overload/crash any server by making it process 1000s of entries in a list. • Try $_POST or $_REQUEST! (Works up to PHP 5.3.8) HASH DOS

  9. UPDATE? • PHP 5.3.9 was released to “fix” HASH DOS.

    • New directive max_input_vars! • Profit?

  10. PHP 5.3.9 • New vulnerability in max_input_vars! • All backports

    are vulnerable. • PHP 5.3.10?

  11. MAYBE. :) Fool me once, don’t fool me twice.

  12. LIFE COULD BE EASY Suhosin fixed HASH DOS a long

    time ago. suhosin.post.max_vars suhosin.request.max_vars suhosin.post.max_value_length suhosin.request.max_value_length Four configuration settings is all it takes.

  13. SUMMARY? • Suhosin offers plenty of work-arounds • “Quick-fixes” to

    current issues • Prevention • Test your application with suhosin.simulation

  14. DRAWBACKS • More maintenance. (Patching PHP sucks. Building custom extensions

    also – kind of.) • Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.) • Lots of drama.

  15. BUT WAIT • Please (, please, please) update your PHP.

    • Run your test suite against release candidates and betas. • Report bugs, and send patches. • Contribute.

  16. FIN http://till.klampaeckel.de/blog @klimpong