Suhosin Feature List

Feature List - Suhosin Patch

Engine Protection

  • Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection
  • Protects Destructors of Zend Hashtables
  • Protects Destructors of Zend Linked-Lists
  • Protects the PHP core and extensions against format string vulnerabilities
  • Protects against errors in certain libc realpath() implementations

Feature List - Suhosin Extension

Misc Features

  • Protection Simulation mode :!:
  • Adds the functions sha256() and sha256_file() to the PHP core
  • Adds support for CRYPT_BLOWFISH to crypt() on all platforms
  • Transparent protection of open phpinfo() pages
  • EXPERIMENTAL SQL database user protection

Runtime Protection

  • Transparent Cookie Encryption :!:
  • Protects against different kinds of (Remote-)Include Vulnerabilities
    • disallows Remote URL inclusion (optional: black-/whitelisting)
    • disallows inclusiong of uploaded files
  • optionally stops directory traversal attacks
  • Allows disabling the preg_replace() /e modifier
  • Allows disabling eval()
  • Protects against infinite recursion through a configureabel maximum execution depth
  • Supports per Virtual Host / Directory configureable function black- and whitelists
  • Supports a separated function black- and whitelist for evaluated code
  • Protects against HTTP Response Splitting Vulnerabilities
  • Protects against scripts manipulating the memory_limit
  • Protects PHP‘s superglobals against extract() and import_request_vars()
  • Adds protection against newline attacks to mail()
  • Adds protection against 0 attack on preg_replace()

Session Protection

  • Transparent encryption of session data :!:
  • Transparent session hijacking protection :!:
  • Protection against overlong session identifiers
  • Protection against malicious chars in session identifiers

Filtering Features

  • Filters ASCIIZ characters from user input
  • Ignores GET, POST, COOKIE variables with the following names: GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
  • Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)
    • Supports a number of variables per request limit
    • Supports a maximum length of variable names [with and without indicies]
    • Supports a maximum length of array indicies
    • Supports a maximum length of variable values
    • Supports a maximum depth of arrays
  • Allows only a configureable number of uploaded files
  • Supports verification of uploaded files through an external script
  • Supports automatic banning of uploaded ELF executables
  • Supports automatic banning of uploaded binary files
  • Supports automatic stripping of binary content in uploaded files
  • Configureable action on violation
    • just block violating variables
    • send HTTP response code
    • redirect the browser
    • execute another PHP script

Logging Features

  • Supports multiple log devices (syslog, SAPI module error log, external logging script)
  • Supports freely configureable syslog facility and priority
  • Supports log device separated selection of alert types to log
  • Alerts contain filename and linenumber that triggered it
  • Alerts contain the IP address of the user triggering it
  • The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)