How to Check Whether Suhosin Is Installed

How to check whether Suhosin is installed?

To detect the Suhosin Extension use extension_loaded() no matter if it is dynamically loaded or statically compiled:

extension_loaded('suhosin');

To detect the Suhosin-Patch, check for the constant presence:

constant("SUHOSIN_PATCH");

Suhosin for Windows

-f is a flag for the compiled interpreter that makes the interpreter execute the specified php source code. suhosin is a patch to the php interpreter, which is written in C.

Therefore, you must download the source code of the php interpreter, apply suhosin, and then recompile php.

Suhosin and disable eval function

Your example executes phpinfo(), then tries to evaluate the output. Given your configuration the following example will be blocked by suhosin:

eval("phpinfo();");

Please consider using whitelisting as opposed to blacklisting, if applicable. From a security point of view it is always best to allow a limited set of functions rather than guess all the bad functions.

Also note, that eval itself is not a function and cannot be blocked by disable_functions and friends. Suhosin provides suhosin.executor.disable_eval for that purpose.

Why doesn't suhosin.executor.disable_emodifier work?

You have to check both local and master values in your phpinfo() for the lines suhosin.executor.disable_eval and suhosin.executor.disable_emodifier in order to be sure that the configuraton file is read correctly, and not only for the activation of suhosin.

The local value of those directive should be set to 'On'.

If the local is Off but the master is On, then your virtualhost configuration might override this parameter. If both are Off, then you're suhosin.ini is not parsed correctly

You also have to chech that suhosin.simulation (debug mode) is set to Off.

Suhosin and disable eval

Set 

suhosin.executor.disable_eval

to Off. If it is set to On like in you example, eval() will get disabled completely (and this is what you are seeing in logs).

Btw, I don't think that there is a legit way of using eval() in PHP applications. Applications which are really using it should be avoided. I would turn it off completely unless something crashes and then investigate this.


Related Topics

Communicate C Program and PHP

Minify/Obfuscate PHP Code

PHP "Header (Location)" Inside Iframe, to Load in _Top Location

How to Integrate PHPmailer with Codeigniter 3

Htaccess Rule to Parse PHP in HTML Files Not Working

How to Check If Allow_Url_Fopen Is Enabled or Not

Date() Method, "A Non Well Formed Numeric Value Encountered" Does Not Want to Format a Date Passed in $_Post

How to Get Http Url of File Uploaded to Ftp Server

Error: Class 'Facebook\Facebooksession' Not Found with the Facebook PHP Sdk

PHP Session Variables Not Being Maintaned

How to Insert Multiple Rows in PHP Pdo MySQL

PHP - Push Notifications

Open Download Dialog with PHP

Mysql: Determine Table's Primary Key Dynamically

How to Get the Shortest Rather Than Longest Possible Regex Match with Preg_Match()

Set_Error_Handler() Doesn't Work for Fatal Error

How to Determine the Extension(S) Associated with a Mime Type in PHP

Saving a Product Custom Field and Displaying It in Cart Page


Leave a reply



Submit