Add example configuration for Xenforo 2.2.12

author: Julien Voisin 2023-01-03 21:39:56 +0100
committer: GitHub 2023-01-03 21:39:56 +0100
commit: 0423e1b63364f4dd741d3a8ac8a880407ff37371 (patch)
tree: 9090e7a6630fbc929d1bc18000579a1388c1158f /config
parent: 7d006a4b971aec04c42c06c877c0e496f1f62bc0 (diff)
parent: 3b794ec1f8ba52c1a30ca0099297c89a41fa49aa (diff)
1 files changed, 141 insertions, 0 deletions
diff --git a/config/xenforo.rules b/config/xenforo.rules
new file mode 100644
index 0000000..9f29e1d
--- /dev/null
+++ b/config/xenforo.rules
@@ -0,0 +1,141 @@
+# This is a sample configuration for Snuffleupagus to accomodate Xenforo v2.2.12 on PHP 8.1
+# We keep the default configuration values commented out where they have been shown to be harmful
+# Global configuration variables
+sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
+# Enforce secure cookies
+# -- You ought to be using HTTPS-only anyway
+sp.auto_cookie_secure.enable();
+# Harden the PRNG
+sp.harden_random.enable();
+# Disabled XXE
+sp.xxe_protection.enable();
+# Globally activate strict mode
+# -- Entirely breaks Xenforo; 99% of requests abuse lose typing directly in their entrypoint
+# sp.global_strict.enable();
+# Prevent unserialize-related exploits
+# -- Xenforo heavily uses serialization in database and caches; enable at your own risk
+# sp.unserialize_hmac.enable();
+# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
+# -- Xenforo has a 0777 file permissions model and will refuse to run with anything else, both for
+# -- code caches and its own webroot; this isn't workable at all with this
+# sp.readonly_exec.enable();
+# PHP has a lot of wrappers, most of them aren't usually useful, you should
+# only enable the ones you're using.
+# -- Seems OK in general, could break somewhere along the way however
+sp.wrappers_whitelist.list("file,php,phar");
+# Prevent sloppy comparisons.
+sp.sloppy_comparison.enable();
+# use SameSite on session cookie
+# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
+sp.cookie.name("PHPSESSID").samesite("lax");
+# -- Xenforo cookies
+sp.cookie.name("xf_csrf").samesite("lax");
+sp.cookie.name("xf_session").samesite("lax");
+sp.cookie.name("xf_user").samesite("lax");
+# Harden the `chmod` function
+# -- Xenforo aggressively makes files executable left and right, alas
+# sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+# Prevent various `mail`-related vulnerabilities
+sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
+# Since it's now burned, me might as well mitigate it publicly
+sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
+# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
+sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
+# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
+sp.disable_function.function("extract").param("array").value_r("^_").drop()
+sp.disable_function.function("extract").param("flags").value("0").drop()
+# This is also burned:
+# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
+# Since we have no way of matching on two parameters at the same time, we're
+# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
+# Moreover, there are non-public bypasses that are also using this vector ;)
+sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
+##Prevent various `include`-related vulnerabilities
+# -- "php8" is necessary here, due to the following snippet in one of the vendored Symfony dependencies
+# -- if (PHP_VERSION_ID >= 80000) {
+# --     require_once __DIR__.'/Resources/mb_convert_variables.php8';
+# -- }
+sp.disable_function.function("require_once").value_r("\.(inc|phtml|php|php8)$").allow();
+sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("require_once").drop()
+sp.disable_function.function("include_once").drop()
+sp.disable_function.function("require").drop()
+sp.disable_function.function("include").drop()
+# Prevent `system`-related injections
+sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+# Prevent runtime modification of interesting things
+# -- Xenforo applies its own set of ini rules sanitization and this cannot be disabled without a hard fork
+# sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
+# sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
+# sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("option").value("include_path").drop();
+sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
+# Detect some backdoors via environment recon
+# -- Xenforo does its own recon of the environment and this cannot be disabled without a hard fork
+# sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
+# sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
+sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
+sp.disable_function.function("function_exists").param("function").value("eval").drop();
+sp.disable_function.function("function_exists").param("function").value("exec").drop();
+sp.disable_function.function("function_exists").param("function").value("system").drop();
+sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
+sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
+sp.disable_function.function("function_exists").param("function").value("passthru").drop();
+sp.disable_function.function("is_callable").param("value").value("eval").drop();
+sp.disable_function.function("is_callable").param("value").value("exec").drop();
+sp.disable_function.function("is_callable").param("value").value("system").drop();
+sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
+sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
+sp.disable_function.function("is_callable").param("value").value("passthru").drop();
+# Ghetto error-based sqli detection
+sp.disable_function.function("mysql_query").ret("FALSE").drop();
+sp.disable_function.function("mysqli_query").ret("FALSE").drop();
+sp.disable_function.function("PDO::query").ret("FALSE").drop();
+# Ensure that certificates are properly verified
+sp.disable_function.function("curl_setopt").param("value").value("1").allow();
+sp.disable_function.function("curl_setopt").param("value").value("2").allow();
+# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
+sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
+sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+# File upload
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+# Logging lockdown
+# -- Xenforo applies its own set of ini rules sanitization and this cannot be disabled without a hard fork
+# sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
+# sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop()
+# sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()
+# Configuration you might want to enable on production environments only
+# sp.ini.key("display_errors").set("0").ro();
+# sp.ini.key("display_startup_errors").set("0").ro();
+# sp.ini.key("expose_php").set("0").ro();
author	Julien Voisin	2023-01-03 21:39:56 +0100
committer	GitHub	2023-01-03 21:39:56 +0100
commit	0423e1b63364f4dd741d3a8ac8a880407ff37371 (patch)
tree	9090e7a6630fbc929d1bc18000579a1388c1158f /config
parent	7d006a4b971aec04c42c06c877c0e496f1f62bc0 (diff)
parent	3b794ec1f8ba52c1a30ca0099297c89a41fa49aa (diff)

diff --git a/config/xenforo.rules b/config/xenforo.rules new file mode 100644 index 0000000..9f29e1d --- /dev/null +++ b/config/xenforo.rules
@@ -0,0 +1,141 @@
	1	# This is a sample configuration for Snuffleupagus to accomodate Xenforo v2.2.12 on PHP 8.1
	2	# We keep the default configuration values commented out where they have been shown to be harmful
	3
	4	# Global configuration variables
	5	sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
	6
	7	# Enforce secure cookies
	8	# -- You ought to be using HTTPS-only anyway
	9	sp.auto_cookie_secure.enable();
	10
	11	# Harden the PRNG
	12	sp.harden_random.enable();
	13
	14	# Disabled XXE
	15	sp.xxe_protection.enable();
	16
	17	# Globally activate strict mode
	18	# -- Entirely breaks Xenforo; 99% of requests abuse lose typing directly in their entrypoint
	19	# sp.global_strict.enable();
	20
	21	# Prevent unserialize-related exploits
	22	# -- Xenforo heavily uses serialization in database and caches; enable at your own risk
	23	# sp.unserialize_hmac.enable();
	24
	25	# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
	26	# -- Xenforo has a 0777 file permissions model and will refuse to run with anything else, both for
	27	# -- code caches and its own webroot; this isn't workable at all with this
	28	# sp.readonly_exec.enable();
	29
	30	# PHP has a lot of wrappers, most of them aren't usually useful, you should
	31	# only enable the ones you're using.
	32	# -- Seems OK in general, could break somewhere along the way however
	33	sp.wrappers_whitelist.list("file,php,phar");
	34
	35	# Prevent sloppy comparisons.
	36	sp.sloppy_comparison.enable();
	37
	38	# use SameSite on session cookie
	39	# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
	40	sp.cookie.name("PHPSESSID").samesite("lax");
	41	# -- Xenforo cookies
	42	sp.cookie.name("xf_csrf").samesite("lax");
	43	sp.cookie.name("xf_session").samesite("lax");
	44	sp.cookie.name("xf_user").samesite("lax");
	45
	46	# Harden the `chmod` function
	47	# -- Xenforo aggressively makes files executable left and right, alas
	48	# sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
	49
	50	# Prevent various `mail`-related vulnerabilities
	51	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
	52
	53	# Since it's now burned, me might as well mitigate it publicly
	54	sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
	55
	56	# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
	57	sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
	58
	59	# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
	60	sp.disable_function.function("extract").param("array").value_r("^_").drop()
	61	sp.disable_function.function("extract").param("flags").value("0").drop()
	62
	63	# This is also burned:
	64	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
	65	# Since we have no way of matching on two parameters at the same time, we're
	66	# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
	67	# Moreover, there are non-public bypasses that are also using this vector ;)
	68	sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
	69
	70	##Prevent various `include`-related vulnerabilities
	71	# -- "php8" is necessary here, due to the following snippet in one of the vendored Symfony dependencies
	72	# -- if (PHP_VERSION_ID >= 80000) {
	73	# -- require_once __DIR__.'/Resources/mb_convert_variables.php8';
	74	# -- }
	75	sp.disable_function.function("require_once").value_r("\.(inc\|phtml\|php\|php8)$").allow();
	76	sp.disable_function.function("include_once").value_r("\.(inc\|phtml\|php)$").allow();
	77	sp.disable_function.function("require").value_r("\.(inc\|phtml\|php)$").allow();
	78	sp.disable_function.function("include").value_r("\.(inc\|phtml\|php)$").allow();
	79	sp.disable_function.function("require_once").drop()
	80	sp.disable_function.function("include_once").drop()
	81	sp.disable_function.function("require").drop()
	82	sp.disable_function.function("include").drop()
	83
	84	# Prevent `system`-related injections
	85	sp.disable_function.function("system").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	86	sp.disable_function.function("shell_exec").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	87	sp.disable_function.function("exec").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	88	sp.disable_function.function("proc_open").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	89
	90	# Prevent runtime modification of interesting things
	91	# -- Xenforo applies its own set of ini rules sanitization and this cannot be disabled without a hard fork
	92	# sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
	93	# sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
	94	# sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
	95	sp.disable_function.function("ini_set").param("option").value("include_path").drop();
	96	sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
	97
	98	# Detect some backdoors via environment recon
	99	# -- Xenforo does its own recon of the environment and this cannot be disabled without a hard fork
	100	# sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
	101	# sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
	102	sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
	103	sp.disable_function.function("function_exists").param("function").value("eval").drop();
	104	sp.disable_function.function("function_exists").param("function").value("exec").drop();
	105	sp.disable_function.function("function_exists").param("function").value("system").drop();
	106	sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
	107	sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
	108	sp.disable_function.function("function_exists").param("function").value("passthru").drop();
	109	sp.disable_function.function("is_callable").param("value").value("eval").drop();
	110	sp.disable_function.function("is_callable").param("value").value("exec").drop();
	111	sp.disable_function.function("is_callable").param("value").value("system").drop();
	112	sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
	113	sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
	114	sp.disable_function.function("is_callable").param("value").value("passthru").drop();
	115
	116	# Ghetto error-based sqli detection
	117	sp.disable_function.function("mysql_query").ret("FALSE").drop();
	118	sp.disable_function.function("mysqli_query").ret("FALSE").drop();
	119	sp.disable_function.function("PDO::query").ret("FALSE").drop();
	120
	121	# Ensure that certificates are properly verified
	122	sp.disable_function.function("curl_setopt").param("value").value("1").allow();
	123	sp.disable_function.function("curl_setopt").param("value").value("2").allow();
	124	# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
	125	sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
	126	sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
	127
	128	# File upload
	129	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
	130	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
	131
	132	# Logging lockdown
	133	# -- Xenforo applies its own set of ini rules sanitization and this cannot be disabled without a hard fork
	134	# sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
	135	# sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop()
	136	# sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()
	137
	138	# Configuration you might want to enable on production environments only
	139	# sp.ini.key("display_errors").set("0").ro();
	140	# sp.ini.key("display_startup_errors").set("0").ro();
	141	# sp.ini.key("expose_php").set("0").ro();