Securing PHP using Hardening Patch and Suhosin

balaji
By balaji

June 13, 2009

The National Vulnerability Database shows that 953 vulnerabilities were discovered in PHP during the first quarter of 2009. Most of the PHP vulnerabilities can be exploited remotely. Threats to database and web servers linked to PHP applications are high since PHP programs are executed dynamically on the server side. So when it comes to PHP Security, ignorance is definitely not blissful. There are several methods to secure PHP. We discuss the use of hardening patches and its extensions in this article.

php-hardening-patches.jpg

The National Vulnerability Database shows that 953 vulnerabilities were discovered in PHP during the first quarter of 2009. Most of the PHP vulnerabilities can be exploited remotely. Threats to database and web servers linked to PHP applications are high since PHP programs are executed dynamically on the server side. So when it comes to PHP Security, ignorance is definitely not blissful. There are several methods to secure PHP. We discuss the use of hardening patches and its extensions in this article.

PHP installations can be secured by using patches/extensions provided by Hardened-PHP project .

  • The Hardening patch can be used to add security hardening features to the PHP core - that protects servers against a number of well known issues in PHP applications and also against potentially unknown vulnerabilities.
  • Suhosin is an extension derived from Hardening-Patch. It adds new security filters and PHP security settings in order to protect users from known and unknown flaws in a PHP application.

Hardening-Patch

Hardening-Patches provide additional features that protect servers against ignorant and vulnerable programming methods. Hardened-PHP claims that by utilizing hardening-patch servers can be protected against buffer overflows and Zend Engine related vulnerabilities.

Hardening-Patch v0.4.14 is the latest release from Hardened-PHP project.

Suhosin

suhosin.png

Suhosin is an extension and successor of the hardening-patch for PHP. Suhosin means "guardian angel" in Korean. The Suhosin extension protects servers against buffer overflows, insecure programming techniques and other known and unknown vulnerabilities in PHP.

The Suhosin extension was designed to function in two parts – first, to provide Core level protection and then high level protection in PHP. Core level protection on Zend engine protects the core from buffer overflow attacks. High level protection includes runtime protection, filtering and logging features. The two independent functionalities of Suhosin can be used alone or in combination, leaving the discretion to the user's prerequisite.

Core Level Protection

Zend Engine Protection

Zend engine is an open source scripting engine used for optimized execution in PHP. The Zend engine gives a wider range of functionality to PHP - debuggers, performance boosters and custom loaders. It also adds several security enhancements:

  • Memory Manager Hardening (Canary/Safe-Unlink)
  • Hash table destructor protection
  • Protection against format string vulnerabilities
  • Real Path() library protection
  • SQL Injection detection

High Level Protection

Runtime Protection

  • Protection against known and unknown bugs
  • Adds the functions sha256() and sha256_file() to the PHP core
  • Protection against Remote Inclusion attacks
  • Transparent Session/Cookie Encryption
  • Protection against newline attacks to mail()

Filtering Features

  • External scripts can be used for verification of uploaded files
  • User inputs can be filtered for ASCIIZ characters
  • Limits can be enforced on REQUEST variables.
  • Only configurable files can be uploaded

Logging Features

  • Supports many output channels
    • Syslog, Shell script, PHP script
  • Multiple log level
    • Alerts contain filename, line and attackers-IP that triggered it.

Isn't it better to write secure code, instead?

Programmers have the option to choose these patches/extensions to secure their PHP applications. In theory, patches and extensions are not required, if programmers write secure code and if no other 3 rd party PHP code is used. In practice, it's never as simple.

Further, consider that yesterday's secure practice might be inadequate today. For instance, consider yesterday's recommendation for "PHP Remote Code Inclusion Vulnerabilities" – disabling allow_url_fopen and allow_url_include. According to the Hardened-PHP project "PHP Remote Code Inclusion Vulnerabilities" cannot be fixed by just disabling allow_url_fopen and allow_url_include in the PHP configuration. These configuration directives do not protect against attacks through php://Input or data://URLS. Both Hardening-Patch and Suhosin, on the other hand, are capable of protecting PHP applications against these attacks.

Since these patches/extensions do not hinder functionality, we strongly recommend that PHP programmers implement them and be on the safer-side.

References


Tags: Best Practices

About

balaji