Add a configuration file for php8

author: jvoisin 2021-04-26 21:19:59 +0200
committer: jvoisin 2021-04-26 21:20:21 +0200
commit: 0aaa9e51bbf102c37a9f545309c07650b6ee527b (patch)
tree: 18e9e799062cdb805d6f07c3169587d65dfa7cfa /config/default_php8.rules
parent: 654552c14ba8c98a244f82f9b8f1225a68526efb (diff)
1 files changed, 146 insertions, 0 deletions
diff --git a/config/default_php8.rules b/config/default_php8.rules
new file mode 100644
index 0000000..5517eb7
--- /dev/null
+++ b/config/default_php8.rules
@@ -0,0 +1,146 @@
+# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io),
+# for php8.
+# It contains "reasonable" defaults that won't break your websites,
+# and a lot of commented directives that you can enable if you want to 
+# have a better protection.
+# Harden the PRNG
+sp.harden_random.enable();
+# Disabled XXE
+sp.disable_xxe.enable();
+# Global configuration variables
+# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
+# Globally activate strict mode
+# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
+# sp.global_strict.enable();
+# Prevent unserialize-related exploits
+# sp.unserialize_hmac.enable();
+# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
+# sp.readonly_exec.enable();
+# Php has a lot of wrappers, most of them aren't usually useful, you should 
+# only enable the ones you're using.
+# sp.wrappers_whitelist.list("file,php,phar");
+# Prevent sloppy comparisons.
+# sp.sloppy_comparison.enable();
+# use SameSite on session cookie
+# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
+sp.cookie.name("PHPSESSID").samesite("lax");
+# Harden the `chmod` function
+sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+# Prevent various `mail`-related vulnerabilities
+sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
+# Since it's now burned, me might as well mitigate it publicly
+sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
+# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
+sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
+# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
+sp.disable_function.function("extract").param("var_array").value_r("^_").drop()
+sp.disable_function.function("extract").param("extract_type").value("0").drop()
+# This is also burned:
+# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
+# Since we have no way of matching on two parameters at the same time, we're
+# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
+# Moreover, there are non-public bypasses that are also using this vector ;)
+sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
+##Prevent various `include`-related vulnerabilities
+sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("require_once").drop()
+sp.disable_function.function("include_once").drop()
+sp.disable_function.function("require").drop()
+sp.disable_function.function("include").drop()
+# Prevent `system`-related injections
+sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+# Prevent runtime modification of interesting things
+sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("option").value("include_path").drop();
+sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
+# Detect some backdoors via environnement recon
+sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
+sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
+sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
+sp.disable_function.function("function_exists").param("function").value("eval").drop();
+sp.disable_function.function("function_exists").param("function").value("exec").drop();
+sp.disable_function.function("function_exists").param("function").value("system").drop();
+sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
+sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
+sp.disable_function.function("function_exists").param("function").value("passthru").drop();
+sp.disable_function.function("is_callable").param("var").value("eval").drop();
+sp.disable_function.function("is_callable").param("var").value("exec").drop();
+sp.disable_function.function("is_callable").param("var").value("system").drop();
+sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();
+sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
+sp.disable_function.function("is_callable").param("var").value("passthru").drop();
+# Commenting sqli related stuff to improve performance.
+# TODO figure out why these functions can't be hooked at startup
+# Ghetto sqli hardening
+# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
+# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
+# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
+# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
+# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
+# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
+# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
+# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
+# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
+# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
+# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
+# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
+# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
+# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
+# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
+# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
+# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
+# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
+# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
+# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
+# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
+# Ghetto sqli detection
+# sp.disable_function.function("mysql_query").ret("FALSE").drop();
+# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
+# sp.disable_function.function("PDO::query").ret("FALSE").drop();
+# Ensure that certificates are properly verified
+sp.disable_function.function("curl_setopt").param("value").value("1").allow();
+sp.disable_function.function("curl_setopt").param("value").value("2").allow();
+# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
+sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
+sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+#File upload
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+# Logging lockdown
+sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
+sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop()
+sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()
author	jvoisin	2021-04-26 21:19:59 +0200
committer	jvoisin	2021-04-26 21:20:21 +0200
commit	0aaa9e51bbf102c37a9f545309c07650b6ee527b (patch)
tree	18e9e799062cdb805d6f07c3169587d65dfa7cfa /config/default_php8.rules
parent	654552c14ba8c98a244f82f9b8f1225a68526efb (diff)

diff --git a/config/default_php8.rules b/config/default_php8.rules new file mode 100644 index 0000000..5517eb7 --- /dev/null +++ b/config/default_php8.rules
@@ -0,0 +1,146 @@
	1	# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io),
	2	# for php8.
	3	# It contains "reasonable" defaults that won't break your websites,
	4	# and a lot of commented directives that you can enable if you want to
	5	# have a better protection.
	6
	7	# Harden the PRNG
	8	sp.harden_random.enable();
	9
	10	# Disabled XXE
	11	sp.disable_xxe.enable();
	12
	13	# Global configuration variables
	14	# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
	15
	16	# Globally activate strict mode
	17	# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
	18	# sp.global_strict.enable();
	19
	20	# Prevent unserialize-related exploits
	21	# sp.unserialize_hmac.enable();
	22
	23	# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
	24	# sp.readonly_exec.enable();
	25
	26	# Php has a lot of wrappers, most of them aren't usually useful, you should
	27	# only enable the ones you're using.
	28	# sp.wrappers_whitelist.list("file,php,phar");
	29
	30	# Prevent sloppy comparisons.
	31	# sp.sloppy_comparison.enable();
	32
	33	# use SameSite on session cookie
	34	# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
	35	sp.cookie.name("PHPSESSID").samesite("lax");
	36
	37	# Harden the `chmod` function
	38	sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
	39
	40	# Prevent various `mail`-related vulnerabilities
	41	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
	42
	43	# Since it's now burned, me might as well mitigate it publicly
	44	sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
	45
	46	# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
	47	sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
	48
	49	# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
	50	sp.disable_function.function("extract").param("var_array").value_r("^_").drop()
	51	sp.disable_function.function("extract").param("extract_type").value("0").drop()
	52
	53	# This is also burned:
	54	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
	55	# Since we have no way of matching on two parameters at the same time, we're
	56	# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
	57	# Moreover, there are non-public bypasses that are also using this vector ;)
	58	sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
	59
	60	##Prevent various `include`-related vulnerabilities
	61	sp.disable_function.function("require_once").value_r("\.(inc\|phtml\|php)$").allow();
	62	sp.disable_function.function("include_once").value_r("\.(inc\|phtml\|php)$").allow();
	63	sp.disable_function.function("require").value_r("\.(inc\|phtml\|php)$").allow();
	64	sp.disable_function.function("include").value_r("\.(inc\|phtml\|php)$").allow();
	65	sp.disable_function.function("require_once").drop()
	66	sp.disable_function.function("include_once").drop()
	67	sp.disable_function.function("require").drop()
	68	sp.disable_function.function("include").drop()
	69
	70	# Prevent `system`-related injections
	71	sp.disable_function.function("system").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	72	sp.disable_function.function("shell_exec").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	73	sp.disable_function.function("exec").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	74	sp.disable_function.function("proc_open").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	75
	76	# Prevent runtime modification of interesting things
	77	sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
	78	sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
	79	sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
	80	sp.disable_function.function("ini_set").param("option").value("include_path").drop();
	81	sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
	82
	83	# Detect some backdoors via environnement recon
	84	sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
	85	sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
	86	sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
	87	sp.disable_function.function("function_exists").param("function").value("eval").drop();
	88	sp.disable_function.function("function_exists").param("function").value("exec").drop();
	89	sp.disable_function.function("function_exists").param("function").value("system").drop();
	90	sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
	91	sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
	92	sp.disable_function.function("function_exists").param("function").value("passthru").drop();
	93	sp.disable_function.function("is_callable").param("var").value("eval").drop();
	94	sp.disable_function.function("is_callable").param("var").value("exec").drop();
	95	sp.disable_function.function("is_callable").param("var").value("system").drop();
	96	sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();
	97	sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
	98	sp.disable_function.function("is_callable").param("var").value("passthru").drop();
	99
	100	# Commenting sqli related stuff to improve performance.
	101	# TODO figure out why these functions can't be hooked at startup
	102	# Ghetto sqli hardening
	103	# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
	104	# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
	105	# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
	106	# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
	107	# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
	108	# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
	109	# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
	110
	111	# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
	112	# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
	113	# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
	114	# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
	115	# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
	116	# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
	117	# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
	118
	119	# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
	120	# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
	121	# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
	122	# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
	123	# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
	124	# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
	125	# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
	126
	127	# Ghetto sqli detection
	128	# sp.disable_function.function("mysql_query").ret("FALSE").drop();
	129	# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
	130	# sp.disable_function.function("PDO::query").ret("FALSE").drop();
	131
	132	# Ensure that certificates are properly verified
	133	sp.disable_function.function("curl_setopt").param("value").value("1").allow();
	134	sp.disable_function.function("curl_setopt").param("value").value("2").allow();
	135	# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
	136	sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
	137	sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
	138
	139	#File upload
	140	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
	141	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
	142
	143	# Logging lockdown
	144	sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
	145	sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop()
	146	sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()