From c473be13687ebd98c328f390d936be311dae7db6 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 17 Jan 2018 14:53:40 +0100 Subject: Our configuration files are ending in .rules, not .ini This commit fixes the documentation, our shipped configuration files, and the related tests. Thanks to @remicollet for the tip --- config/default.ini | 54 -------------------------------- config/default.rules | 54 ++++++++++++++++++++++++++++++++ config/examples.ini | 41 ------------------------ config/examples.rules | 41 ++++++++++++++++++++++++ doc/source/config.rst | 6 ++-- src/tests/example_configuration.phpt | 2 +- src/tests/inexistent_conf_file_list.phpt | 2 +- src/tests/shipped_configuration.phpt | 2 +- 8 files changed, 101 insertions(+), 101 deletions(-) delete mode 100644 config/default.ini create mode 100644 config/default.rules delete mode 100644 config/examples.ini create mode 100644 config/examples.rules diff --git a/config/default.ini b/config/default.ini deleted file mode 100644 index 88398c1..0000000 --- a/config/default.ini +++ /dev/null @@ -1,54 +0,0 @@ -# Harden the `chmod` function -sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); -sp.disable_function.function("chmod").param("mode").value_r("o\\+w$").drop(); - -# Prevent various `mail`-related vulnerabilities -sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); - -##Prevent various `include`-related vulnerabilities -sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); -sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); -sp.disable_function.function_r("^(?:require|include)_once$").drop(); -sp.disable_function.function_r("^require|include$").drop(); - -# Prevent `system`-related injections -sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); -sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop(); -sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop(); -sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop(); - -# Prevent runtime modification of interesting things -sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop(); -sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop(); -sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop(); -sp.disable_function.function("ini_set").param("var_name").value("include_path").drop(); -sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop(); - -# Detect some backdoors via environnement recon -sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop(); -sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop(); -sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop(); - -# Ghetto sqli hardening -sp.disable_function.function_r("mysqli?_query").param("query").value_r("/\\*").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("--").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("#").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r(";.*;").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("benchmark").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("sleep").drop(); -sp.disable_function.function_r("mysqli?_query").param("query").value_r("information_schema").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); -sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); -sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); - -# Ghetto sqli detection -sp.disable_function.function_r("mysqli?_query").ret("FALSE").drop(); -sp.disable_function.function_r("PDO::query").ret("FALSE").drop(); - -#File upload -sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); -sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); diff --git a/config/default.rules b/config/default.rules new file mode 100644 index 0000000..88398c1 --- /dev/null +++ b/config/default.rules @@ -0,0 +1,54 @@ +# Harden the `chmod` function +sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); +sp.disable_function.function("chmod").param("mode").value_r("o\\+w$").drop(); + +# Prevent various `mail`-related vulnerabilities +sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); + +##Prevent various `include`-related vulnerabilities +sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); +sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); +sp.disable_function.function_r("^(?:require|include)_once$").drop(); +sp.disable_function.function_r("^require|include$").drop(); + +# Prevent `system`-related injections +sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); +sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop(); +sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop(); +sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop(); + +# Prevent runtime modification of interesting things +sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop(); +sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop(); +sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop(); +sp.disable_function.function("ini_set").param("var_name").value("include_path").drop(); +sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop(); + +# Detect some backdoors via environnement recon +sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop(); +sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop(); +sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop(); + +# Ghetto sqli hardening +sp.disable_function.function_r("mysqli?_query").param("query").value_r("/\\*").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("--").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("#").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r(";.*;").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("benchmark").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("sleep").drop(); +sp.disable_function.function_r("mysqli?_query").param("query").value_r("information_schema").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); +sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); +sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); + +# Ghetto sqli detection +sp.disable_function.function_r("mysqli?_query").ret("FALSE").drop(); +sp.disable_function.function_r("PDO::query").ret("FALSE").drop(); + +#File upload +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); diff --git a/config/examples.ini b/config/examples.ini deleted file mode 100644 index 664a67a..0000000 --- a/config/examples.ini +++ /dev/null @@ -1,41 +0,0 @@ -# Restrict system calls to specific file -sp.disable_function.function("system").filename("/update.php").allow(); -sp.disable_function.function("system").drop(); - - -# Restrict system calls to specific file with a specific hash -sp.disable_function.function("system").filename("/update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow(); -sp.disable_function.function("system").drop(); - - -# AbanteCart 1.2.8 - Multiple SQL Injections -sp.disable_function.filename("/core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop(); -sp.disable_function.filename("/admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop(); - - -# Redaxo 5.2.0: Remote Code Execution via CSRF -# See for details -sp.disable_function.filename("/redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop(); - - -# Guest Post: Vtiger 6.5.0 - SQL Injection -sp.disable_function.filename("/modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop(); - - -# The State of Wordpress Security -# All In One WP Security & Firewall -sp.disable_function.filename("/admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]").value_r("\"").drop(); - - -# PHPKit 1.6.6: Code Execution for Privileged Users -sp.disable_function.filename("/pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop(); - - -# Coppermine 1.5.42: Second-Order Command Execution -sp.disable_function.filename("/include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]").value_r("[^a-z0-9]").drop(); -sp.disable_function.filename("/forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop(); - - -# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html -sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop(); -sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop(); diff --git a/config/examples.rules b/config/examples.rules new file mode 100644 index 0000000..664a67a --- /dev/null +++ b/config/examples.rules @@ -0,0 +1,41 @@ +# Restrict system calls to specific file +sp.disable_function.function("system").filename("/update.php").allow(); +sp.disable_function.function("system").drop(); + + +# Restrict system calls to specific file with a specific hash +sp.disable_function.function("system").filename("/update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow(); +sp.disable_function.function("system").drop(); + + +# AbanteCart 1.2.8 - Multiple SQL Injections +sp.disable_function.filename("/core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop(); +sp.disable_function.filename("/admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop(); + + +# Redaxo 5.2.0: Remote Code Execution via CSRF +# See for details +sp.disable_function.filename("/redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop(); + + +# Guest Post: Vtiger 6.5.0 - SQL Injection +sp.disable_function.filename("/modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop(); + + +# The State of Wordpress Security +# All In One WP Security & Firewall +sp.disable_function.filename("/admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]").value_r("\"").drop(); + + +# PHPKit 1.6.6: Code Execution for Privileged Users +sp.disable_function.filename("/pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop(); + + +# Coppermine 1.5.42: Second-Order Command Execution +sp.disable_function.filename("/include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]").value_r("[^a-z0-9]").drop(); +sp.disable_function.filename("/forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop(); + + +# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html +sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop(); +sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop(); diff --git a/doc/source/config.rst b/doc/source/config.rst index 794d8b0..c7e1346 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -4,10 +4,10 @@ Configuration Since PHP *ini-like* configuration model isn't flexible enough, Snuffleupagus is using its own format in the file specified by the directive ``sp.configuration_file`` (in your ``php.ini`` file), -like ``sp.configuration_file=/etc/php/conf.d/snuffleupagus.ini``. +like ``sp.configuration_file=/etc/php/conf.d/snuffleupagus.rules``. You can use the ``,`` separator to include multiple configuration files : -``sp.configuration_file=/etc/php/conf.d/snuffleupagus.ini,/etc/php/conf.d/sp_wordpress.ini`` +``sp.configuration_file=/etc/php/conf.d/snuffleupagus.rules,/etc/php/conf.d/sp_wordpress.rules`` Options are chainable by using dots (``.``) and string parameters **must** be quoted, while booleans and integers aren't. @@ -399,5 +399,5 @@ The following rules will: Miscellaneous examples """""""""""""""""""""" -.. literalinclude:: ../../config/examples.ini +.. literalinclude:: ../../config/examples.rules :language: python diff --git a/src/tests/example_configuration.phpt b/src/tests/example_configuration.phpt index 74bdb49..6c2e82d 100644 --- a/src/tests/example_configuration.phpt +++ b/src/tests/example_configuration.phpt @@ -3,7 +3,7 @@ Shipped configuration --SKIPIF-- --INI-- -sp.configuration_file={PWD}/../../config/examples.ini +sp.configuration_file={PWD}/../../config/examples.rules --FILE-- --INI-- -sp.configuration_file={PWD}/../../config/default.ini,{PWD}/non_existent_configuration_file +sp.configuration_file={PWD}/../../config/default.rules,{PWD}/non_existent_configuration_file --FILE-- --EXPECTF-- diff --git a/src/tests/shipped_configuration.phpt b/src/tests/shipped_configuration.phpt index c060a85..dd6b92b 100644 --- a/src/tests/shipped_configuration.phpt +++ b/src/tests/shipped_configuration.phpt @@ -3,7 +3,7 @@ Shipped configuration --SKIPIF-- --INI-- -sp.configuration_file={PWD}/../../config/default.ini +sp.configuration_file={PWD}/../../config/default.rules --FILE--