Qhov kawg ntawm Suhosin; tom ntej no yog dab tsi?
Tau ntau xyoo, I zealously have used Suhosin with any implementations of PHP5 on Apache2 or PHP-FPM Nginx webservers to defend against SQL injection and other common web attacks. Qhov tseeb, PHP5 tau ua phem heev, ob qho tib si ntawm nws txoj kev ruaj ntseg tseem ceeb, and its functions and modules that I could have never conceived using it without any significant hardening that Suhosin provides.
As PHP5 is depreciated and my legacy programs are all gone, I am left with several implementation of PHP7 and no available Suhosin patches.
Although, it is still technically possible to add Suhosin to PHP 7.0 thiab 7.1 (pre-alpha – not for production), it is fair to say that the project has long been gone and PHP7 already proved that it can be troublesome like it was its predecessor. As I am thinking about a new addition to the WAF and core security of PHP7, these are some of the solutions I came with:
Disabling Bad or Unnecessary Functions
There are many risky functions built inside the PHP that are potentially dangerous and should be disabled inside ‘php.ini’ by default. You can find the config file using the below command and disable the functions via vi or nano.
php -i | grep "php.ini"PLEASE NOTE: If you are running various versions of PHP simultaneously or the program is installed as part of another third-party application, then the chances are high that you have multiple ‘php.ini’ installed and it is not clear which one is loaded by the webserver. Make sure that you are editing the correct version (php -v).
Add the below line at the end of ‘php.ini’ file, make sure that you saved the file, and restart the webserver. You can learn about each of these PHP functions at this address. As a measured action, you may want to add them one by one to make sure that it does not negatively affect your applications.
disable_functions = popen, eval, leak, exec, shell_exec, curl_exec, curl_multi_exec, parse_ini_file, mysql_connect, system, phpinfo, escapeshellarg, escapeshellcmd, passthru, symlink, show_source, mail, sendmail, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuidDisabling Register Globals and Base64
Register Global is a function by PHP that allows input arrays to the URL to be converted to variable inside your code. Therefore, any potentially vulnerable code can be exploited by an attacker who can pass malicious arrays using HTTP GET or POST requests.
Register Globals can be easily disabled by adding the below line at the end of ‘php.ini’. Do not forget to restart the webserver to execute the changes.
register_globals = OffJust like Register Globals, Base64 is another often unnecessary feature that open the door into malicious back-doors. You can disable Base64 decoder permanently by adding the below line to the end of ‘php.ini’.
base64_decode = OffNcej tsis lees paub
Cov Kev Pom, lus qhia, lossis cov kev xav tau hais yog cov uas sau tseg yog ib leeg xwb ntawm tus kws sau thiab tsis tas sawv cev cov chaw uas nws ua haujlwm lossis cov koomhaum uas nws muaj feem koom nrog.
Cov ntaub ntawv muaj nyob hauv cov ncej no yog rau cov ntaub ntawv dav dav nkaus xwb. Cov ntaub ntawv tau muab los ntawm Farhad Mofidi thiab thaum nws sib zog ua kom cov ntaub ntawv tam sim no thiab raug, nws tsis ua ib qho kev sawv cev lossis kev lav tsis tau ntawm ib yam, nthuav qhia lossis implied, hais txog qhov ua tiav, kev ua yog, kev ntseeg tau, Haum lossis muaj lub vev xaib. Farhaad ua rau tsis muaj kev sawv cev lossis kev lav ris. lossis cov ntaub ntawv, cov khoom lag luam lossis cov duab muaj feem cuam muaj nyob hauv txhua qhov kev ncua rau ib lub hom phiaj.
Kuj, AI tuaj yeem ua haujlwm ua cov cuab yeej los muab cov lus qhia thiab txhim kho qee cov ntsiab lus lossis kab lus. Cov tswv yim, kev xav txog, kev xav, thiab cov khoom kawg yog cov thawj thiab tib neeg-ua los ntawm tus sau.