1 files changed, 120 insertions, 0 deletions
diff --git a/config/default_php8.rules b/config/default_php8.rules
new file mode 100644
index 0000000..c024176
--- /dev/null
+++ b/config/default_php8.rules
@@ -0,0 +1,120 @@
+# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io),
+# for php8.
+# It contains "reasonable" defaults that won't break your websites,
+# and a lot of commented directives that you can enable if you want to 
+# have a better protection.
+# Harden the PRNG
+sp.harden_random.enable();
+# Disabled XXE
+sp.disable_xxe.enable();
+# Global configuration variables
+# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
+# Globally activate strict mode
+# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
+# sp.global_strict.enable();
+# Prevent unserialize-related exploits
+# sp.unserialize_hmac.enable();
+# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
+# sp.readonly_exec.enable();
+# Php has a lot of wrappers, most of them aren't usually useful, you should
+# only enable the ones you're using.
+# sp.wrappers_whitelist.list("file,php,phar");
+# Prevent sloppy comparisons.
+# sp.sloppy_comparison.enable();
+# use SameSite on session cookie
+# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
+sp.cookie.name("PHPSESSID").samesite("lax");
+# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
+sp.disable_function.function("chmod").param("permissions").value("438").drop();
+sp.disable_function.function("chmod").param("permissions").value("511").drop();
+# Prevent various `mail`-related vulnerabilities
+sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
+# Since it's now burned, me might as well mitigate it publicly
+sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
+# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
+sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
+# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
+sp.disable_function.function("extract").param("array").value_r("^_").drop()
+sp.disable_function.function("extract").param("flags").value("0").drop()
+# This is also burned:
+# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
+# Since we have no way of matching on two parameters at the same time, we're
+# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
+# Moreover, there are non-public bypasses that are also using this vector ;)
+sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
+##Prevent various `include`-related vulnerabilities
+sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
+sp.disable_function.function("require_once").drop()
+sp.disable_function.function("include_once").drop()
+sp.disable_function.function("require").drop()
+sp.disable_function.function("include").drop()
+# Prevent `system`-related injections
+sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+# Prevent runtime modification of interesting things
+sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("option").value("include_path").drop();
+sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
+# Detect some backdoors via environment recon
+sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
+sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
+sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
+sp.disable_function.function("function_exists").param("function").value("eval").drop();
+sp.disable_function.function("function_exists").param("function").value("exec").drop();
+sp.disable_function.function("function_exists").param("function").value("system").drop();
+sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
+sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
+sp.disable_function.function("function_exists").param("function").value("passthru").drop();
+sp.disable_function.function("is_callable").param("value").value("eval").drop();
+sp.disable_function.function("is_callable").param("value").value("exec").drop();
+sp.disable_function.function("is_callable").param("value").value("system").drop();
+sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
+sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
+sp.disable_function.function("is_callable").param("value").value("passthru").drop();
+# Ghetto error-based sqli detection
+# sp.disable_function.function("mysql_query").ret("FALSE").drop();
+# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
+# sp.disable_function.function("PDO::query").ret("FALSE").drop();
+# Ensure that certificates are properly verified
+sp.disable_function.function("curl_setopt").param("value").value("1").allow();
+sp.disable_function.function("curl_setopt").param("value").value("2").allow();
+# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
+sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
+sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+# File upload
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+# Logging lockdown
+sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
+sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop()
+sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()

diff --git a/config/default_php8.rules b/config/default_php8.rules new file mode 100644 index 0000000..c024176 --- /dev/null +++ b/config/default_php8.rules
@@ -0,0 +1,120 @@
	1	# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io),
	2	# for php8.
	3	# It contains "reasonable" defaults that won't break your websites,
	4	# and a lot of commented directives that you can enable if you want to
	5	# have a better protection.
	6
	7	# Harden the PRNG
	8	sp.harden_random.enable();
	9
	10	# Disabled XXE
	11	sp.disable_xxe.enable();
	12
	13	# Global configuration variables
	14	# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
	15
	16	# Globally activate strict mode
	17	# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
	18	# sp.global_strict.enable();
	19
	20	# Prevent unserialize-related exploits
	21	# sp.unserialize_hmac.enable();
	22
	23	# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
	24	# sp.readonly_exec.enable();
	25
	26	# Php has a lot of wrappers, most of them aren't usually useful, you should
	27	# only enable the ones you're using.
	28	# sp.wrappers_whitelist.list("file,php,phar");
	29
	30	# Prevent sloppy comparisons.
	31	# sp.sloppy_comparison.enable();
	32
	33	# use SameSite on session cookie
	34	# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
	35	sp.cookie.name("PHPSESSID").samesite("lax");
	36
	37	# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
	38	sp.disable_function.function("chmod").param("permissions").value("438").drop();
	39	sp.disable_function.function("chmod").param("permissions").value("511").drop();
	40
	41	# Prevent various `mail`-related vulnerabilities
	42	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
	43
	44	# Since it's now burned, me might as well mitigate it publicly
	45	sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
	46
	47	# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
	48	sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
	49
	50	# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
	51	sp.disable_function.function("extract").param("array").value_r("^_").drop()
	52	sp.disable_function.function("extract").param("flags").value("0").drop()
	53
	54	# This is also burned:
	55	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
	56	# Since we have no way of matching on two parameters at the same time, we're
	57	# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
	58	# Moreover, there are non-public bypasses that are also using this vector ;)
	59	sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
	60
	61	##Prevent various `include`-related vulnerabilities
	62	sp.disable_function.function("require_once").value_r("\.(inc\|phtml\|php)$").allow();
	63	sp.disable_function.function("include_once").value_r("\.(inc\|phtml\|php)$").allow();
	64	sp.disable_function.function("require").value_r("\.(inc\|phtml\|php)$").allow();
	65	sp.disable_function.function("include").value_r("\.(inc\|phtml\|php)$").allow();
	66	sp.disable_function.function("require_once").drop()
	67	sp.disable_function.function("include_once").drop()
	68	sp.disable_function.function("require").drop()
	69	sp.disable_function.function("include").drop()
	70
	71	# Prevent `system`-related injections
	72	sp.disable_function.function("system").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	73	sp.disable_function.function("shell_exec").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	74	sp.disable_function.function("exec").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	75	sp.disable_function.function("proc_open").param("command").value_r("[$\|;&`\\n\\(\\)\\\\]").drop();
	76
	77	# Prevent runtime modification of interesting things
	78	sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
	79	sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
	80	sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
	81	sp.disable_function.function("ini_set").param("option").value("include_path").drop();
	82	sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
	83
	84	# Detect some backdoors via environment recon
	85	sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
	86	sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
	87	sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
	88	sp.disable_function.function("function_exists").param("function").value("eval").drop();
	89	sp.disable_function.function("function_exists").param("function").value("exec").drop();
	90	sp.disable_function.function("function_exists").param("function").value("system").drop();
	91	sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
	92	sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
	93	sp.disable_function.function("function_exists").param("function").value("passthru").drop();
	94	sp.disable_function.function("is_callable").param("value").value("eval").drop();
	95	sp.disable_function.function("is_callable").param("value").value("exec").drop();
	96	sp.disable_function.function("is_callable").param("value").value("system").drop();
	97	sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
	98	sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
	99	sp.disable_function.function("is_callable").param("value").value("passthru").drop();
	100
	101	# Ghetto error-based sqli detection
	102	# sp.disable_function.function("mysql_query").ret("FALSE").drop();
	103	# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
	104	# sp.disable_function.function("PDO::query").ret("FALSE").drop();
	105
	106	# Ensure that certificates are properly verified
	107	sp.disable_function.function("curl_setopt").param("value").value("1").allow();
	108	sp.disable_function.function("curl_setopt").param("value").value("2").allow();
	109	# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
	110	sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
	111	sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
	112
	113	# File upload
	114	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
	115	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
	116
	117	# Logging lockdown
	118	sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
	119	sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop()
	120	sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()