Thursday, July 28, 2011

Suhosin" security extension for PHP

SkyHi @ Thursday, July 28, 2011
I encountered the same problem recently. The only solution I've found is to use the (very useful, in my opinion) "Suhosin" security extension for PHP, and set its suhosin.executor.func.blacklist parameter in php.ini, instead of using PHP's disable_functions directive. I have mine set to the following, which I believe covers a lot of the more "dangerous" functions but is by no means exhaustive (I also have dl() disabled with "enable_dl = Off" in php.ini):

suhosin.executor.func.blacklist = apache_note,apache_setenv,closelog,debugger_off,debugger_on,define_syslog_variables,escapeshellarg,escapeshellcmd,exec,ini_restore,openlog,passthru,pclose,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,syslog,system,url_exec
This can then be set on a per-virtualhost or per-directory basis, which I did by logging into DA as admin, and under Custom HTTPD Configurations, adding the following to the relevant domain:

# Omit the ... section to apply settings globally in the VirtualHost. I usually copy my settings for the blacklist from php.ini, and then remove any needed functions from it when pasting here, thus permitting them.

php_admin_value suhosin.executor.func.blacklist list-of-functions-to-disable
Suhosin also provides a whitelist option, if you feel like working out which functions your PHP code uses... I know I don't.

OK i've installed as an extension, it works perfectly, now i'll try to configure some parameter to aument the quantitiy of logging.

Tnx a lot for suggestions

I've disable a lot of functions on all the directory except one, enebled those again with something like this

<Directory /usr/share/squirrelmail>
Options None
AllowOverride None
Order allow,deny
Allow from all
php_admin_value suhosin.executor.func.blacklist " "

In this way in the directory /usr/share/squirrelmail i can execute all the code i want even if in the php.ini i've disable a lot of function like

suhosin.executor.func.blacklist = system, exec, proc_open, proc_close, popen, passthru, shell_exec, dl, show_source, highlight_file, pcntl_exec, ......

Tnx a lot again to all has helped me solve this problem