_ _
___ _ _| |__ ___ ___(_)_ __
/ __| | | | '_ \ / _ \/ __| | '_ \
\__ \ |_| | | | | (_) \__ \ | | | |
|___/\__,_|_| |_|\___/|___/_|_| |_|
v0.9.6
Suhosin v0.9.6 - October 2, 2006
================================
Announcement
============
The Hardened-PHP Project is proud to announce the immediate
availability of the first stable releases of Suhosin-Patch
and Suhosin-Extension.
Suhosin is our advanced PHP protection system installations.
It was designed to and has already proved to be successful in
protecting servers and users from known and unknown flaws in
PHP applications and the PHP core.
Suhosin consists of two independent parts that can be used
separately or in combination. The first part is a small patch
against the PHP core that implements a few low-level protections
against buffer-overflows or format string vulnerabilities and the
second part is a feature-rich PHP extension that implements
a lot of security safeguards for your PHP installations.
Unlike our Hardening-Patch Suhosin is binary compatible to
normal PHP installations, which means it is compatible to 3rd
party binary extensions like ZendOptimizer or ZendPlatform.
With this first official stable release of Suhosin the
Hardening-Patch is declared deprecated and replaced by Suhosin.
Availability
============
This extension is available under the PHP License.
You can get the newest version at http://www.suhosin.org
Additionally Suhosin is available in the FreeBSD ports system
and soon in the Gentoo portage. The upcoming OpenSuSE version
most probably contains binary packages of Suhosin, too.
Support and Documentation
=========================
The installation how-to, the documentation and the FAQ for
Suhosin are available on the website:
http://www.suhosin.org
A users support forum is available under:
http://forum.hardened-php.net
Featurelist
===========
Engine Protection (only with patch)
-----------------------------------
* Protects the internal memory manager against buffer-overflows
with Canary and Safe-Unlink Protection
* Protects Destructors of Zend Hashtables
* Protects Destructors of Zend Linked-Lists
* Protects the PHP core and extensions against
format string vulnerabilities
* Protects against errors in certain libc realpath()
implementations
Misc Features
-------------
* Protection Simulation mode
* Adds the functions sha256() and sha256_file() to the PHP core
* Adds support for CRYPT_BLOWFISH to crypt() on all platforms
* EXPERIMENTAL SQL database user protection
Runtime Protection
------------------
* Transparent Cookie Encryption
* Protects against different (Remote-)Include Vulnerabilities
- disallows Remote URL inclusion (optional: black-/whitelisting)
- disallows inclusiong of uploaded files
- optionally stops directory traversal attacks
* Allows disabling the preg_replace() /e modifier
* Allows disabling eval()
* Protects against infinite recursion through a configurable
maximum execution depth
* Supports per Virtual Host / Directory configurable function
black- and whitelists
* Supports a separated function black- and whitelist for
evaluated code
* Protects against HTTP Response Splitting Vulnerabilities
* Protects against scripts manipulating the memory_limit
* Protects PHP's superglobals against extract()
and import_request_vars()
* Adds protection against newline attacks to mail()
* Adds protection against \0 attack on preg_replace()
Session Protection
------------------
* Transparent encryption of session data
* Transparent session hijacking protection
* Protection against overlong session identifiers
* Protection against malicious chars in session identifiers
Filtering Features
------------------
* Filters ASCIIZ characters from user input
* Ignores GET, POST, COOKIE variables with the following names:
- GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
- _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
- HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
- HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
* Allows enforcing limits on REQUEST variables or separated by
type (GET, POST, COOKIE)
* Supports a number of variables per request limit
* Supports a maximum length of variable names
[with and without indicies]
* Supports a maximum length of array indicies
* Supports a maximum length of variable values
* Supports a maximum depth of arrays
* Allows only a configurable number of uploaded files
* Supports verification of uploaded files through an external script
* Supports automatic banning of uploaded ELF executables
* Supports automatic banning of uploaded binary files
* Supports automatic stripping of binary content in uploaded files
* Configurable action on violation
- just block violating variables
- send HTTP response code
- redirect the browser
- execute another PHP script
Logging Features
----------------
* Supports multiple log devices
(syslog, SAPI module error log, external logging script)
* Supports freely configurable syslog facility and priority
* Supports log device separated selection of alert types to log
* Alerts contain filename and linenumber that triggered it
* Alerts contain the IP address of the user triggering it
* The IP Address can also be extracted from X-Forwarded-For
HTTP headers (f.e. for reverse proxy setups)
Copyright
=========
(C) Copyright 2006 Hardened-PHP Project
Stefan Esser / 2006-10-02
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
