You are on: Home | Suhosin | Feature List

Feature List

Engine Protection (only with patch)

Misc Features

  • Protection Simulation mode :!:
  • Adds the functions sha256() and sha256_file() to the PHP core
  • Adds support for CRYPT_BLOWFISH to crypt() on all platforms
  • Transparent protection of open phpinfo() pages
  • EXPERIMENTAL SQL database user protection

Runtime Protection

  • Transparent Cookie Encryption :!:
  • Protects against different kinds of (Remote-)Include Vulnerabilities
    • disallows Remote URL inclusion (optional: black-/whitelisting)
    • disallows inclusiong of uploaded files
    • optionally stops directory traversal attacks
  • Allows disabling the preg_replace() /e modifier
  • Allows disabling eval()
  • Supports per Virtual Host / Directory configureable function black- and whitelists
  • Protects against HTTP Response Splitting Vulnerabilities
  • Protects against scripts manipulating the memory_limit
  • Protects PHP‘s superglobals against extract() and import_request_vars()
  • Adds protection against newline attacks to mail()
  • Adds protection against \0 attack on preg_replace()

Session Protection

  • Transparent encryption of session data :!:
  • Transparent session hijacking protection :!:
  • Protection against overlong session identifiers
  • Protection against malicious chars in session identifiers

Filtering Features

  • Filters ASCIIZ characters from user input
  • Ignores GET, POST, COOKIE variables with the following names:
    • GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
    • _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
    • HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
    • HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
  • Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)
    • Supports a number of variables per request limit
    • Supports a maximum length of variable names [with and without indicies]
    • Supports a maximum length of array indicies
    • Supports a maximum length of variable values
    • Supports a maximum depth of arrays
  • Allows only a configureable number of uploaded files
  • Supports verification of uploaded files through an external script
  • Supports automatic banning of uploaded ELF executables
  • Supports automatic banning of uploaded binary files
  • Supports automatic stripping of binary content in uploaded files
  • Configureable action on violation
    • just block violating variables
    • send HTTP response code
    • redirect the browser
    • execute another PHP script

Logging Features

  • Supports multiple log devices (syslog, SAPI module error log, external logging script)
  • Supports freely configureable syslog facility and priority
  • Supports log device separated selection of alert types to log
  • Alerts contain filename and linenumber that triggered it
  • Alerts contain the IP address of the user triggering it
  • The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)

© Hardened PHP Project