1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
<!DOCTYPE html>
<html prefix="og: http://ogp.me/ns# article: http://ogp.me/ns/article#
" lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Suhosin Feature List | SUHOSIN</title>
<link href="../assets/css/all-nocdn.css" rel="stylesheet" type="text/css">
<meta name="theme-color" content="#5670d4">
<meta name="generator" content="Nikola (getnikola.com)">
<link rel="canonical" href="https://suhosin.org/stories/feature-list.html">
<link rel="icon" href="../favicon.png" sizes="32x32">
<link rel="icon" href="../favicon_256x256.png" sizes="256x256">
<!--[if lt IE 9]><script src="../assets/js/html5.js"></script><![endif]--><meta name="author" content="SektionEins">
<meta property="og:site_name" content="SUHOSIN">
<meta property="og:title" content="Suhosin Feature List">
<meta property="og:url" content="https://suhosin.org/stories/feature-list.html">
<meta property="og:description" content="Feature List - Suhosin Patch
Engine Protection
Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection
Protects Destructors of Zend Hashtables
Protects Des">
<meta property="og:type" content="article">
<meta property="article:published_time" content="2014-06-11T11:02:00+02:00">
</head>
<body>
<a href="#content" class="sr-only sr-only-focusable">Skip to main content</a>
<!-- Menubar -->
<nav class="navbar navbar-expand-md static-top mb-4
navbar-dark bg-dark
"><div class="container">
<!-- This keeps the margins nice -->
<a class="navbar-brand" href="https://suhosin.org/">
<span id="blog-title">SUHOSIN</span>
</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#bs-navbar" aria-controls="bs-navbar" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="bs-navbar">
<ul class="navbar-nav mr-auto">
<li class="nav-item">
<a href="download.html" class="nav-link">Download</a>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Documentation</a>
<div class="dropdown-menu">
<a href="#" class="dropdown-item active">Feature List <span class="sr-only">(active)</span></a>
<a href="install.html" class="dropdown-item">Installing Suhosin</a>
<a href="configuration.html" class="dropdown-item">Configuration</a>
<a href="howtos.html" class="dropdown-item">HOWTOs</a>
<a href="faq.html" class="dropdown-item">FAQ</a>
<a href="benchmark.html" class="dropdown-item">Benchmark</a>
</div>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Github</a>
<div class="dropdown-menu">
<a href="https://raw.githubusercontent.com/sektioneins/suhosin/master/Changelog" class="dropdown-item">Changelog</a>
<a href="https://github.com/sektioneins/suhosin" class="dropdown-item">Sources</a>
<a href="https://github.com/sektioneins/suhosin/issues" class="dropdown-item">Bugtracker</a>
</div>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">SektionEins</a>
<div class="dropdown-menu">
<a href="https://sektioneins.de/en/index.html#services" class="dropdown-item">Security Audits</a>
<a href="https://sektioneins.de/en/index.html#news" class="dropdown-item">News</a>
<a href="https://sektioneins.de/en/kontakt.html" class="dropdown-item">Contact</a>
</div>
</li>
</ul>
<ul class="navbar-nav navbar-right"></ul>
</div>
<!-- /.navbar-collapse -->
</div>
<!-- /.container -->
</nav><!-- End of Menubar --><div class="container" id="content" role="main">
<div class="body-content">
<!--Body content-->
<article class="post-text storypage" itemscope="itemscope" itemtype="http://schema.org/Article"><header><h1 class="p-name entry-title" itemprop="headline name"><a href="#" class="u-url">Suhosin Feature List</a></h1>
</header><div class="e-content entry-content" itemprop="articleBody text">
<div>
<div class="section" id="feature-list-suhosin-patch">
<h2>Feature List - Suhosin Patch</h2>
<div class="section" id="engine-protection">
<h3>Engine Protection</h3>
<ul class="simple">
<li>Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection</li>
<li>Protects Destructors of Zend Hashtables</li>
<li>Protects Destructors of Zend Linked-Lists</li>
<li>Protects the PHP core and extensions against format string vulnerabilities</li>
<li>Protects against errors in certain libc realpath() implementations</li>
</ul>
</div>
</div>
<div class="section" id="feature-list-suhosin-extension">
<h2>Feature List - Suhosin Extension</h2>
<div class="section" id="misc-features">
<h3>Misc Features</h3>
<ul class="simple">
<li>Protection Simulation mode :!:</li>
<li>Adds the functions sha256() and sha256_file() to the PHP core</li>
<li>Adds support for CRYPT_BLOWFISH to crypt() on all platforms</li>
<li>Transparent protection of open phpinfo() pages</li>
<li>EXPERIMENTAL SQL database user protection</li>
</ul>
</div>
<div class="section" id="runtime-protection">
<h3>Runtime Protection</h3>
<ul class="simple">
<li>Transparent Cookie Encryption :!:</li>
<li>Protects against different kinds of (Remote-)Include Vulnerabilities<ul>
<li>disallows Remote URL inclusion (optional: black-/whitelisting)</li>
<li>disallows inclusiong of uploaded files</li>
</ul>
</li>
<li>optionally stops directory traversal attacks</li>
<li>Allows disabling the preg_replace() /e modifier</li>
<li>Allows disabling eval()</li>
<li>Protects against infinite recursion through a configureabel maximum execution depth</li>
<li>Supports per Virtual Host / Directory configureable function black- and whitelists</li>
<li>Supports a separated function black- and whitelist for evaluated code</li>
<li>Protects against HTTP Response Splitting Vulnerabilities</li>
<li>Protects against scripts manipulating the memory_limit</li>
<li>Protects PHP‘s superglobals against extract() and import_request_vars()</li>
<li>Adds protection against newline attacks to mail()</li>
<li>Adds protection against 0 attack on preg_replace()</li>
</ul>
</div>
<div class="section" id="session-protection">
<h3>Session Protection</h3>
<ul class="simple">
<li>Transparent encryption of session data :!:</li>
<li>Transparent session hijacking protection :!:</li>
<li>Protection against overlong session identifiers</li>
<li>Protection against malicious chars in session identifiers</li>
</ul>
</div>
<div class="section" id="filtering-features">
<h3>Filtering Features</h3>
<ul class="simple">
<li>Filters ASCIIZ characters from user input</li>
<li>Ignores GET, POST, COOKIE variables with the following names:
GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
_SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS</li>
<li>Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)<ul>
<li>Supports a number of variables per request limit</li>
<li>Supports a maximum length of variable names [with and without indicies]</li>
<li>Supports a maximum length of array indicies</li>
<li>Supports a maximum length of variable values</li>
<li>Supports a maximum depth of arrays</li>
</ul>
</li>
<li>Allows only a configureable number of uploaded files</li>
<li>Supports verification of uploaded files through an external script</li>
<li>Supports automatic banning of uploaded ELF executables</li>
<li>Supports automatic banning of uploaded binary files</li>
<li>Supports automatic stripping of binary content in uploaded files</li>
<li>Configureable action on violation<ul>
<li>just block violating variables</li>
<li>send HTTP response code</li>
<li>redirect the browser</li>
<li>execute another PHP script</li>
</ul>
</li>
</ul>
</div>
<div class="section" id="logging-features">
<h3>Logging Features</h3>
<ul class="simple">
<li>Supports multiple log devices (syslog, SAPI module error log, external logging script)</li>
<li>Supports freely configureable syslog facility and priority</li>
<li>Supports log device separated selection of alert types to log</li>
<li>Alerts contain filename and linenumber that triggered it</li>
<li>Alerts contain the IP address of the user triggering it</li>
<li>The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)</li>
</ul>
</div>
</div>
</div>
</div>
</article><!--End of body content--><footer id="footer"><a href="https://sektioneins.de/en/"><img src="../images/s1-logo-transparent-small.png" id="footerimg"></a><div id="footertext">© 2019 <a href="https://sektioneins.de/en/">SektionEins GmbH</a> • <a href="https://sektioneins.de/en/impressum.html">Imprint</a> • <a href="https://sektioneins.de/en/privacy.html">Privacy Statement</a>
</div>
</footer>
</div>
</div>
<script src="../assets/js/all-nocdn.js"></script><script>
baguetteBox.run('div#content', {
ignoreClass: 'islink',
captions: function(element) {
return element.getElementsByTagName('img')[0].alt;
}});
</script>
</body>
</html>
|
