From 4052c363ec770559aade8bf4ab57e49f2322281d Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sun, 25 May 2025 13:11:38 +0200 Subject: Unify/fix the default.rules file across PHP versions, and add some new ones --- config/default.rules | 83 +++++++++++++++++++++------ config/default_php8.rules | 128 ------------------------------------------ debian/snuffleupagus.examples | 1 - 3 files changed, 66 insertions(+), 146 deletions(-) delete mode 100644 config/default_php8.rules diff --git a/config/default.rules b/config/default.rules index a3e779b..817e62f 100644 --- a/config/default.rules +++ b/config/default.rules @@ -40,35 +40,39 @@ sp.disable_function.function("chmod").param("mode").value("438").drop(); sp.disable_function.function("chmod").param("mode").value("511").drop(); # Prevent various `mail`-related vulnerabilities +@condition PHP_VERSION_ID < 80300; sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); +@condition PHP_VERSION_ID >= 80300; +sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop(); +@end_condition; # Since it's now burned, me might as well mitigate it publicly -sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() -sp.disable_function.function("putenv").param("setting").value("PATH").drop() +sp.disable_function.function("putenv").param("setting").value_r("LD_").drop(); +sp.disable_function.function("putenv").param("setting").value("PATH").drop(); # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 -sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop() +sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop(); # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector -sp.disable_function.function("extract").pos("0").value_r("^_").drop() -sp.disable_function.function("extract").pos("1").value("0").drop() +sp.disable_function.function("extract").pos("0").value_r("^_").drop(); +sp.disable_function.function("extract").pos("1").value("0").drop(); # This is also burned: # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); # Since we have no way of matching on two parameters at the same time, we're # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. # Moreover, there are non-public bypasses that are also using this vector ;) -sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop() +sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop(); # Prevent various `include`-related vulnerabilities sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); -sp.disable_function.function("require_once").drop() -sp.disable_function.function("include_once").drop() -sp.disable_function.function("require").drop() -sp.disable_function.function("include").drop() +sp.disable_function.function("require_once").drop(); +sp.disable_function.function("include_once").drop(); +sp.disable_function.function("require").drop(); +sp.disable_function.function("include").drop(); # Prevent `system`-related injections sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); @@ -77,13 +81,22 @@ sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\ sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); # Prevent runtime modification of interesting things +@condition PHP_VERSION_ID < 80000; sp.disable_function.function("ini_set").param("varname").value("assert.active").drop(); sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop(); sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop(); sp.disable_function.function("ini_set").param("varname").value("include_path").drop(); sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop(); +@condition PHP_VERSION_ID >= 80000; +sp.disable_function.function("ini_set").param("option").value("assert.active").drop(); +sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop(); +sp.disable_function.function("ini_set").param("option").value("memory_limit").drop(); +sp.disable_function.function("ini_set").param("option").value("include_path").drop(); +sp.disable_function.function("ini_set").param("option").value("open_basedir").drop(); +@end_condition; # Detect some backdoors via environment recon +@condition PHP_VERSION_ID < 80000; sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop(); sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop(); sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop(); @@ -99,6 +112,24 @@ sp.disable_function.function("is_callable").param("var").value("system").drop(); sp.disable_function.function("is_callable").param("var").value("shell_exec").drop(); sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); sp.disable_function.function("is_callable").param("var").value("passthru").drop(); +@condition PHP_VERSION_ID >= 80000; +sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").drop(); +sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop(); +sp.disable_function.function("function_exists").param("function").value("eval").drop(); +sp.disable_function.function("function_exists").param("function").value("exec").drop(); +sp.disable_function.function("function_exists").param("function").value("system").drop(); +sp.disable_function.function("function_exists").param("function").value("shell_exec").drop(); +sp.disable_function.function("function_exists").param("function").value("proc_open").drop(); +sp.disable_function.function("function_exists").param("function").value("passthru").drop(); +sp.disable_function.function("is_callable").param("value").value("eval").drop(); +sp.disable_function.function("is_callable").param("value").value("exec").drop(); +sp.disable_function.function("is_callable").param("value").value("system").drop(); +sp.disable_function.function("is_callable").param("value").value("shell_exec").drop(); +sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); +sp.disable_function.function("is_callable").param("value").value("passthru").drop(); +@end_condition; + # Ghetto error-based sqli detection # sp.disable_function.function("mysql_query").ret("FALSE").drop(); @@ -117,14 +148,32 @@ sp.disable_function.function("curl_setopt").param("value").value_r("file://").dr sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled"); # File upload -# On old PHP7 versions -#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); -#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); -# On PHP7.4+ +@condition PHP_VERSION_ID >= 80000; +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); +@condition PHP_VERSION_ID >= 70400; sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ht").drop(); +@condition PHP_VERSION_ID >= 70000; +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); +@end_condition; # Logging lockdown -sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop() -sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop() -sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop() +@condition PHP_VERSION_ID >= 70000; +sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop(); +sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop(); +sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop(); +@condition PHP_VERSION_ID >= 80000; +sp.disable_function.function("ini_set").param("option").value_r("error_log").drop(); +sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop(); +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop(); +@end_condition; + +# Classic webshells patterns +sp.disable_function.function("system>base64_decode").drop(); +sp.disable_function.function("shell_exec>base64_decode").drop(); +sp.disable_function.function("exec>base64_decode").drop(); +sp.disable_function.function("passthru>base64_decode").drop(); +sp.disable_function.function("proc_open>base64_decode").drop(); +sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open"); diff --git a/config/default_php8.rules b/config/default_php8.rules deleted file mode 100644 index 0490654..0000000 --- a/config/default_php8.rules +++ /dev/null @@ -1,128 +0,0 @@ -# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io), -# for php8. -# It contains "reasonable" defaults that won't break your websites, -# and a lot of commented directives that you can enable if you want to -# have a better protection. - -# Harden the PRNG -sp.harden_random.enable(); - -# Disabled XXE -sp.xxe_protection.enable(); - -# Global configuration variables -# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS."); - -# Globally activate strict mode -# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict -# sp.global_strict.enable(); - -# Prevent unserialize-related exploits -# sp.unserialize_hmac.enable(); - -# Only allow execution of read-only files. This is a low-hanging fruit that you should enable. -# sp.readonly_exec.enable(); - -# PHP has a lot of wrappers, most of them aren't usually useful, you should -# only enable the ones you're using. -# sp.wrappers_whitelist.list("file,php,phar"); -# The "php" wrapper can be further filtered, e.g. to only allow `php://stdout`, `php://stdin` and `php://stderr`: -# sp.wrappers_whitelist.php_list("stdout,stdin,stderr"); - -# Prevent sloppy comparisons. -# sp.sloppy_comparison.enable(); - -# Use SameSite on session cookie -# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery -sp.cookie.name("PHPSESSID").samesite("lax"); - -# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) -sp.disable_function.function("chmod").param("permissions").value("438").drop(); -sp.disable_function.function("chmod").param("permissions").value("511").drop(); - -# Prevent various `mail`-related vulnerabilities -# Uncommend the second rule if you're using php8.3+ -#sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); -#sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop(); - -# Since it's now burned, me might as well mitigate it publicly -sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() -sp.disable_function.function("putenv").param("assignment").value("PATH").drop() - -# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 -sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() - -# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector -sp.disable_function.function("extract").param("array").value_r("^_").drop() -sp.disable_function.function("extract").param("flags").value("0").drop() - -# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html -# Since we have no way of matching on two parameters at the same time, we're -# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. -# Moreover, there are non-public bypasses that are also using this vector ;) -sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop() - -# Prevent various `include`-related vulnerabilities -sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); -sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); -sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); -sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); -sp.disable_function.function("require_once").drop() -sp.disable_function.function("include_once").drop() -sp.disable_function.function("require").drop() -sp.disable_function.function("include").drop() - -# Prevent `system`-related injections -sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); -sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); -sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); -sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); - -# Prevent runtime modification of interesting things -sp.disable_function.function("ini_set").param("option").value("assert.active").drop(); -sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop(); -sp.disable_function.function("ini_set").param("option").value("memory_limit").drop(); -sp.disable_function.function("ini_set").param("option").value("include_path").drop(); -sp.disable_function.function("ini_set").param("option").value("open_basedir").drop(); - -# Detect some backdoors via environment recon -sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop(); -sp.disable_function.function("ini_get").param("option").value("open_basedir").drop(); -sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop(); -sp.disable_function.function("function_exists").param("function").value("eval").drop(); -sp.disable_function.function("function_exists").param("function").value("exec").drop(); -sp.disable_function.function("function_exists").param("function").value("system").drop(); -sp.disable_function.function("function_exists").param("function").value("shell_exec").drop(); -sp.disable_function.function("function_exists").param("function").value("proc_open").drop(); -sp.disable_function.function("function_exists").param("function").value("passthru").drop(); -sp.disable_function.function("is_callable").param("value").value("eval").drop(); -sp.disable_function.function("is_callable").param("value").value("exec").drop(); -sp.disable_function.function("is_callable").param("value").value("system").drop(); -sp.disable_function.function("is_callable").param("value").value("shell_exec").drop(); -sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); -sp.disable_function.function("is_callable").param("value").value("passthru").drop(); - -# Ghetto error-based sqli detection -# sp.disable_function.function("mysql_query").ret("FALSE").drop(); -# sp.disable_function.function("mysqli_query").ret("FALSE").drop(); -# sp.disable_function.function("PDO::query").ret("FALSE").drop(); - -# Ensure that certificates are properly verified -sp.disable_function.function("curl_setopt").param("value").value("1").allow(); -sp.disable_function.function("curl_setopt").param("value").value("2").allow(); -# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER -sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off."); -sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); - -# Ensure that file:// protocol is not allowed in CURL -sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled"); -sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled"); - -# File upload -sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); -sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); - -# Logging lockdown -sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() -sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop() -sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() diff --git a/debian/snuffleupagus.examples b/debian/snuffleupagus.examples index 1ed42a3..0073bab 100644 --- a/debian/snuffleupagus.examples +++ b/debian/snuffleupagus.examples @@ -1,2 +1 @@ config/default.rules -config/default_php8.rules -- cgit v1.3