PHP hardening patch - Suhosin
Posted by simonw on Fri 16 Feb 2007 at 08:51
PHP has a notorious security history, but web hosts have to provide it. Suhosin is a security patch that can be applied to change behaviour of the default PHP install in security related ways, and is now packaged in Debian Etch and Sid, with some of it built into the default PHP builds, and some available as an extra.
To install and test;
Create a PHP file somewhere on your website with this in, and view it with Apache to see your PHP config.
<?php phpinfo(); ?>;
When viewed the page should claim that Suhosin is included, but Suhosin directives in the PHP5 ini files will have no effect.
apt-get install php5-suhosin
I assume people have PHP5 installed by now!
Viewing the PHP info page should now have a whole section to "Suhosin" showing the value of settings like "suhosin.mail.protect".
As a quick test it is working, we disable phpinfo;
echo suhosin.executor.func.blacklist="phpinfo" >>/etc/php5/conf.d/suhosin.ini /etc/init.d/apache2 restart
Reloading the phpinfo page, should now be blank, and an error logged something list this one;
[Wed Feb 14 13:30:08 2007] [error] [client ip.ad.dr.es] ALERT - function within blacklist called: phpinfo() (attacker 'ip.ad.dr.es', file '/home/gardens/phpinfo.php', line 2)
Of course one can blacklist functions in PHP without Suhosin, the interest is more in the features like the mail function protection.
This note was written as I couldn't find an introduction, the author is not an expert in PHP security!