The end of Suhosin; what is next?
For many years, I zealously have used Suhosin with any implementations of PHP5 on Apache2 or PHP-FPM Nginx webservers to defend against SQL injection and other common web attacks. In fact, PHP5 was so disastrous, e ai ki tōna haumarutanga uho, and its functions and modules that I could have never conceived using it without any significant hardening that Suhosin provides.
As PHP5 is depreciated and my legacy programs are all gone, I am left with several implementation of PHP7 and no available Suhosin patches.
Although, it is still technically possible to add Suhosin to PHP 7.0 and 7.1 (pre-alpha – not for production), it is fair to say that the project has long been gone and PHP7 already proved that it can be troublesome like it was its predecessor. I taku whakaaro mō tētahi taapiri hou ki te WAF me te noho haumaru matua o PHP7, ēnei ētahi o ngā rongoā i puta mai i ahau:
Te Wetewete i ngā Mahi Kino, Whakamahinga rānei e Hiahiatia Ana
He maha ngā mahi tūpono kua hangaia i roto i te PHP e tino mōrearea ana me te tika kia wetewetehia i roto i ‘php.ini’ hei taunoa. Ka taea e koe te kitea te kōnae whirihoranga mā te whakamahi i te whakahau i raro nei ā ka wetewete i ngā mahi mā vi, nano rānei.
php -i | grep "php.ini"TĪPAE ATU: Mēnā kei te whakahaere koe i ngā momo putanga PHP rerekē i te wā kotahi, i te mea rānei kua tāuta te pūmanawa hei wāhanga o tētahi tono-tuatoru kē,, nā reira, he tino pea kei a koe ngā ‘php.ini’ maha ka kāore e mārama hehea te whakamahi e te tūmau paetukutuku. Me mātua whakarite kei te whakatika koe i te putanga tika (php -v).
Add the below line at the end of ‘php.ini’ file, make sure that you saved the file, and restart the webserver. You can learn about each of these PHP functions at this address. As a measured action, you may want to add them one by one to make sure that it does not negatively affect your applications.
disable_functions = popen, eval, leak, exec, shell_exec, curl_exec, curl_multi_exec, parse_ini_file, mysql_connect, system, phpinfo, escapeshellarg, escapeshellcmd, passthru, symlink, show_source, mail, sendmail, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuidDisabling Register Globals and Base64
Register Global is a function by PHP that allows input arrays to the URL to be converted to variable inside your code. Therefore, any potentially vulnerable code can be exploited by an attacker who can pass malicious arrays using HTTP GET or POST requests.
Register Globals can be easily disabled by adding the below line at the end of ‘php.ini’. Do not forget to restart the webserver to execute the changes.
register_globals = OffJust like Register Globals, Base64 is another often unnecessary feature that open the door into malicious back-doors. You can disable Base64 decoder permanently by adding the below line to the end of ‘php.ini’.
base64_decode = OffPanui Take Pou
Ngā whakaaro, ngā pārongo, or opinions expressed are solely those of the author and do not necessarily represent those of his employer or the organizations with which he is affiliated.
The information contained in this post is for general information purposes only. The information is provided by Farhad Mofidi and while he strives to keep the information current and accurate, he does not make any representations or warranties of any kind, express or implied, regarding the completeness, accuracy, reliability, te tikanga, te wātea rānei o te paetukutuku. Kāore he whakaaturanga, he pūtāhui rānei a Farhad. ētahi mōhiohio rānei, ngā hua, ngā whakairoiro whai pānga rānei kei roto i tētahi Pou mō tētahi take.
Waihoki, Ka whakamahia pea te AI hei utauta hei whakarato huatau me te whakapai ake i ētahi o ngā ihirangi, rerenga rānei. Ngā whakaaro, ngā whakaaro, ngā whakaaro, ā, ko ngā hua whakamutunga taketake, ā, i hangaia e te tangata nā te kaituhi.