homepage Welcome to WebmasterWorld Guest from 23.22.194.120
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Suhosin?
lappert2001




msg:4418314
 11:55 am on Feb 16, 2012 (gmt 0)

Running Debian Squeeze, Apache 2.2, PHP Version 5.3.3-7+squeeze8

In Logcheck, I'm getting warnings like:
Feb 16 00:46:49 hostname suhosin[28579]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'start' (attacker '91.215.148.138', file '/home/example.com/public_html/phpbb2/viewforum.php')


I'm not really familiar with it, but Wikipedia says Suhosin is a Php security patch and default in Debian. So that's OK.

But PhpMyAdmin reports:

Server running with Suhosin. Please refer to documentation for possible issues.


And that - [wiki.phpmyadmin.net...] -- reports a number of issues with Suhosin and apps like PhpMyAdmin.

So I guess I'm asking how needed or valuable is Suhosin? If not, how would it be deactivated? I would be nice to get rid of the red warning.

 

incrediBILL




msg:4418607
 2:12 am on Feb 17, 2012 (gmt 0)

Why would you want less security just to get rid of a red warning?

Makes sense to me.

Read up on what it is, you should probably keep it unless you like you servers hacked from PHP flaws: [hardened-php.net...]

lappert2001




msg:4418687
 9:10 am on Feb 17, 2012 (gmt 0)

Of course I don't want less security, but there are always things that are not that effective, unneeded or redundant, which is why I asked.

But implementation is being a bit problematic. The phpMyAdmin FAQ [phpmyadmin.net ] recommends changes to suhosin.ini

The default values for most Suhosin configuration options will work in most scenarios, however you might want to adjust at least following parameters:

suhosin.request.max_vars should be increased (eg. 2048)
suhosin.post.max_vars should be increased (eg. 2048)
suhosin.request.max_array_index_length should be increased (eg. 256)
suhosin.post.max_array_index_length should be increased (eg. 256)
suhosin.request.max_totalname_length should be increased (eg. 8192)
suhosin.post.max_totalname_length should be increased (eg. 8192)
suhosin.get.max_value_length should be increased (eg. 1024)
suhosin.sql.bailout_on_error needs to be disabled (the default)
suhosin.log.* should not include SQL, otherwise you get big slowdown


Most of these are straightforward, but the last is - as far as I can determine - undocumented or unclear. See [hardened-php.net ]
The default suhosin.ini entry has no value

;suhosin.log.syslog =


Looking at other suhosin.log settings and the suhosin config docs, I get the impression that to remove SQL from the logging, I should set the value to 16 or lower. But I can't find anything on Google or the phpadmin or suhosin sites to give that credibility.

Any ideas? Thanks.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved