diff options
| -rw-r--r-- | config/default.rules | 4 | ||||
| -rw-r--r-- | doc/source/config.rst | 2 | ||||
| -rw-r--r-- | doc/source/features.rst | 6 |
3 files changed, 10 insertions, 2 deletions
diff --git a/config/default.rules b/config/default.rules index 3e82ae3..0fa4878 100644 --- a/config/default.rules +++ b/config/default.rules | |||
| @@ -35,6 +35,10 @@ sp.xxe_protection.enable(); | |||
| 35 | # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery | 35 | # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery |
| 36 | sp.cookie.name("PHPSESSID").samesite("lax"); | 36 | sp.cookie.name("PHPSESSID").samesite("lax"); |
| 37 | 37 | ||
| 38 | # Note that an attacker with arbitrary PHP code execution | ||
| 39 | # can bypass some virtual-patching, by (as)using PHP feature. | ||
| 40 | # A clever example would be to declare a class with a __toString method. | ||
| 41 | |||
| 38 | # Harden the `chmod` function (0777 (oct = 511, 0666 = 438) | 42 | # Harden the `chmod` function (0777 (oct = 511, 0666 = 438) |
| 39 | @condition PHP_VERSION_ID < 80000; | 43 | @condition PHP_VERSION_ID < 80000; |
| 40 | sp.disable_function.function("chmod").param("mode").value("438").drop(); | 44 | sp.disable_function.function("chmod").param("mode").value("438").drop(); |
diff --git a/doc/source/config.rst b/doc/source/config.rst index 2053c2f..a84bb60 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst | |||
| @@ -152,7 +152,7 @@ least astonishment | |||
| 152 | <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>`__. But since | 152 | <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>`__. But since |
| 153 | it's `possible to modify php's logging system via php | 153 | it's `possible to modify php's logging system via php |
| 154 | <https://www.php.net/manual/en/errorfunc.configuration.php>`__, it's | 154 | <https://www.php.net/manual/en/errorfunc.configuration.php>`__, it's |
| 155 | heavily recommended to use the ``syslog`` option instead. The ``file:` option | 155 | heavily recommended to use the ``syslog`` option instead. The ``file:`` option |
| 156 | might be useful if you're using Snuffleupagus to fuzz or audit a codebase. | 156 | might be useful if you're using Snuffleupagus to fuzz or audit a codebase. |
| 157 | 157 | ||
| 158 | log_max_len | 158 | log_max_len |
diff --git a/doc/source/features.rst b/doc/source/features.rst index adb8779..517bbec 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst | |||
| @@ -309,7 +309,11 @@ of dangerous functions, dropping them everywhere else: | |||
| 309 | :language: php | 309 | :language: php |
| 310 | 310 | ||
| 311 | 311 | ||
| 312 | The intent is to make post-exploitation process (such as backdooring of legitimate code, or RAT usage) a lot harder for the attacker. | 312 | The intent is to make post-exploitation process (such as backdooring of |
| 313 | legitimate code, or RAT usage) a lot harder for the attacker. | ||
| 314 | |||
| 315 | Note that an attacker able to run arbitrary PHP code can likely bypass some virtual-patching | ||
| 316 | by (ab)using some PHP features. | ||
| 313 | 317 | ||
| 314 | 318 | ||
| 315 | .. _global-strict-feature: | 319 | .. _global-strict-feature: |