After a year of development project release , which provides a module to the PHP7 interpreter to improve the security of the environment and block typical errors that lead to vulnerabilities in running PHP applications. The module also allows you to create to fix specific problems without changing the source code of the vulnerable application, which is convenient for use in mass hosting systems where it is impossible to keep all user applications up to date. The overhead costs from the operation of the module are estimated as minimal. The module is written in C, included as a shared library ("extension=snuffleupagus.so" in php.ini), and licensed under LGPL 3.0.
Snuffleupagus provides a system of rules that allows you to use standard templates to increase security, as well as create your own rules to control input data and function parameters. For example, the rule "sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop();" allows you to limit the use of special characters in the system() function arguments without changing the application. Built-in methods are provided to block classes of vulnerabilities such as problems, with data serialization, use of the PHP mail() function, leakage of Cookie content during XSS attacks, problems due to loading files with executable code (for example, in the format ), poor-quality generation of random numbers and invalid XML constructs.
The PHP hardening modes provided in Snuffleupagus are:
- Automatic enabling of "secure" and "samesite" (CSRF protection) flags for Cookies, Cookie;
- Built-in set of rules to detect traces of attacks and compromised applications;
- Force global enable mode "Β» (for example, blocks an attempt to specify a string while expecting an integer value as an argument) and protection against ;
- Blocking by default (for example, the prohibition of "phar://") with their explicit permission according to the white list;
- Prohibition on the execution of files that are writable;
- Black and white lists for eval;
- Enable mandatory TLS certificate validation when using
curl; - Adding HMAC to serialized objects to ensure that deserialization retrieves the data stored by the original application;
- Request logging mode;
- Blocking loading of external files in libxml from links in XML documents;
- Ability to connect external handlers (upload_validation) to check and scan uploaded files;
Among in the new release: Improved support for PHP 7.4 and implemented compatibility with the PHP 8 branch under development. Added the ability to log events via syslog (the sp.log_media directive was proposed for inclusion, which can take the values ββphp or syslog). The default set of rules has been updated to include new rules for recently identified vulnerabilities and attack techniques against web applications. Improved support for macOS and expanded use of the GitLab-based continuous integration platform.
Source: opennet.ru