From 6347fa7afa8936ad53c108f15a2ea6ccacd812fb Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 16 Oct 2019 00:52:50 +0200
Subject: Fix the default configuration

ini_[sg]et first parameter is actually varname,
and not var_name.

Thanks to @gergo314 for flagging this!
---
 config/default.rules | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'config/default.rules')

diff --git a/config/default.rules b/config/default.rules
index 82f8b5d..dc749e5 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -66,16 +66,16 @@ sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 
 # Prevent runtime modification of interesting things
-sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
-sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
-sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
-sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
-sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
+sp.disable_function.function("ini_set").param("varname").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("varname").value("include_path").drop();
+sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop();
 
 # Detect some backdoors via environnement recon
-sp.disable_function.function("ini_get").param("var_name").value("allow_url_fopen").drop();
-sp.disable_function.function("ini_get").param("var_name").value("open_basedir").drop();
-sp.disable_function.function("ini_get").param("var_name").value_r("suhosin").drop();
+sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
+sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
+sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
 sp.disable_function.function("function_exists").param("function_name").value("eval").drop();
 sp.disable_function.function("function_exists").param("function_name").value("exec").drop();
 sp.disable_function.function("function_exists").param("function_name").value("system").drop();
-- 
cgit v1.3


From f0d873bd8295f06773f66b359581902a3b528341 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 24 Apr 2020 15:12:43 +0200
Subject: Add yet another disabled_functions bypass

---
 config/default.rules | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'config/default.rules')

diff --git a/config/default.rules b/config/default.rules
index dc749e5..1446fb8 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -42,6 +42,9 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\-
 # Since it's now burned, me might as well mitigate it publicly
 sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
 
+# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
+sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
+
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
 # Since we have no way of matching on two parameters at the same time, we're
-- 
cgit v1.3


From bbdf470f4e2d87d90c9ea11f4ce572e4416ffeab Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sat, 25 Apr 2020 15:08:40 +0200
Subject: Add yet an other stupid things to the default set of rules

---
 config/default.rules | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'config/default.rules')

diff --git a/config/default.rules b/config/default.rules
index 1446fb8..9dfa68e 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -45,6 +45,9 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
 # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
 sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
 
+# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
+sp.disable_function.function("extract").param("array").value_r("^_").drop()
+
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
 # Since we have no way of matching on two parameters at the same time, we're
-- 
cgit v1.3


From 7f5f00eaa6be38e4fe39e3eb6424c2be7fd40907 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sat, 25 Apr 2020 15:29:00 +0200
Subject: Fix and improve the previous commit

---
 config/default.rules | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'config/default.rules')

diff --git a/config/default.rules b/config/default.rules
index 9dfa68e..040a54b 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -46,7 +46,8 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
 sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
 
 # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
-sp.disable_function.function("extract").param("array").value_r("^_").drop()
+sp.disable_function.function("extract").param("var_array").value_r("^_").drop()
+sp.disable_function.function("extract").param("extract_type").value("0").drop()
 
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
-- 
cgit v1.3


From e9ca6c39ac734e0e37f78405293e551d7f2863d0 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 1 Aug 2019 11:13:15 +0200
Subject: Lockdown of the logging directives

This is done to prevent an attacker who obtained
arbitrary code execution to mess with the logging
configuration.
---
 config/default.rules | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'config/default.rules')

diff --git a/config/default.rules b/config/default.rules
index 040a54b..05dd91d 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -138,3 +138,8 @@ sp.disable_function.function("curl_setopt").param("option").value("81").drop().a
 #File upload
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+
+# Logging lockdown
+sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()
-- 
cgit v1.3