Home » Posts tagged 'Web server protection'
Tag Archives: Web server protection
How to disable eval function in PHP
How to disable eval in php.ini to Protect php web application
The eval function in php is not a system component function, therefor we cannot disable it by using disable_functions in php. ini.
But eval () for php security has a great lethality, so in order to prevent similar to the following 1 sentence Trojan invasion, need to prohibit! Also, it is recommended to disable eval function in php for web application security and protect it from malware and trojan attacks. Let see the steps to disable dangerous php function such as eval.
Use example of eval ():
The return value of this example is:
Or more advanced is:
This kind of pony smashing the door needs to be banned! However, many people on the Internet say that using disable_functions to prohibit eval is wrong! In fact, eval () cannot be disabled with disable_functions in php. ini, because eval() is a language construct and not a function.
eval is zend’s and is therefore not an PHP_FUNCTION function.
How does php ban eval?
If you want to disable eval, you can use Suhosin, an extension of php:
After installing Suhosin, enter Suhosin. so in php. ini, and add suhosin. executor. disable_eval = on!
To sum up, the eval function of php cannot be disabled in php, so we have to use plug-ins!
Use Suhosin to protect PHP application system (disable eval)
Suhosin is a protection program. It was originally designed to protect servers and users from known or unknown defects in the PHP program and the PHP core. Suhosin has two independent parts, which can be used separately or in combination. The first part is a patch for the PHP core, which can resist buffer overflow or format string weakness; the second part is a powerful PHP extension that includes all other protection measures.
Download Suhosin php extension
Friends who use Gentoo linux or FreeBSD can find Suhosin in ports. Friends who use OpenSuSE linux, Mandriva Linux , and Debian Linux found Suhosin in the distribution package.
http://www.hardened-php.net/suhosin/download.html
How to install Suhosin php extension
1) Download, the address has been given above
2) Unzip and patch
# tar jxvf php-5.2.10.tar.bz2
# gunzip suhosin-patch-5.2.10-0.9.7.patch.gz
# cd php-5.2.10
# patch -p 1 -i ../suhosin-patch-5.2.10-0.9.7.patch
# ./configure –your-options
# make
# make install
Install extension
# tar zxvf suhosin-0.9.31.tgz
# cd subosin-0.9.31
# phpize
# ./configure –with-php-config=/usr/local/php/bin/php-config (this path is set according to your actual situation)
# make
# make install
Then edit php.ini and add extension=suhosin.so
Features of Suhosin extension
1) Engine protection (patches only)
- Protect internal memory management against buffer overflow
- Prevent Zend hash table from being destroyed
- Prevent Zend link list from being destroyed
- Protect PHP core and its extensions against format string weaknesses
- Some libc realpath() errors
2) Various characteristics
- Simulator protection mode
- Add two functions sha256() and sha256_file() to the PHP core
- All platforms, add CRYPT_BLOWFISH to the function crypt()
- Turn on transparent protection of phpinfo() page
- SQLdatabase user protection (test phase)
3) Runtime protection
- encryptioncookies
- Prevent different kinds of inclusion vulnerabilities (remote URL inclusion is not allowed (black/white list); uploaded files are not allowed; prevent directory traversal attacks)
- Allow prohibiting preg_replace()/e modification options
- Allow to prohibit eval() function
- Prevent infinite recursion by configuring a maximum execution depth
- Support each vhost configuration black and white list
- Provide a separate black and white list of functions for code execution
- Prevent HTTP response splitting vulnerability
- Prevent scripts from controlling the memory_limit option
- Protect PHP’s superglobals, for the function extract() import_request_vars()
- Prevent new line attacks of mail() function
- Prevent preg_replace() attacks
4) Session protection
- Encrypted session data
- Prevent session from being hijacked
- Prevent long session id
- Prevent malicious session id
5) Filter characteristics
6) Log characteristics (omitted)
Refer to http://www.hardened-php.net/suhosin/a_feature_list.html
Also read: