logoon  windows
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.



Secure your PHP installation with Suhosin Extension v0.9.20

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
underxp



Joined: 16 Jan 2006
Posts: 34

PostPosted: Sat 04 Aug '07 5:13    Post subject: Secure your PHP installation with Suhosin Extension v0.9.20 Reply with quote

from http://www.hardened-php.net/suhosin/

Quote:

What is Suhosin?

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.


Feature List
see http://www.hardened-php.net/suhosin/a_feature_list.html

Configuration
see http://www.hardened-php.net/suhosin/configuration.html

Benchmark
see http://www.hardened-php.net/suhosin/benchmark.html

Download Suhosin Extension v0.9.20 compiled using Microsoft Visual C++ 2005 from the Forum http://forum.hardened-php.net/viewtopic.php?id=250

PHP 5.2.2, http://www.zshare.net/download/28009965da6a6b/

PHP 5.3.3, http://www.zshare.net/download/2801003ff70fa5/
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 5105
Location: Germany, Next to Hamburg

PostPosted: Sat 10 Nov '07 0:22    Post subject: Reply with quote

Which experience do you have with suhosin?
Back to top
underxp



Joined: 16 Jan 2006
Posts: 34

PostPosted: Mon 12 Nov '07 0:37    Post subject: Reply with quote

for PHP 5.2.4, http://www.zshare.net/download/34499523e2dabd/

I don't use (yet), but I read many articles about it.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 5105
Location: Germany, Next to Hamburg

PostPosted: Wed 19 Mar '08 10:21    Post subject: Reply with quote

I've tried it now a longer time. It reduces the speed a bit. But more worse is that PHPMyAdmin has problems with it Confused
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 35

PostPosted: Mon 23 Aug '10 4:38    Post subject: Reply with quote

Any updates?

Can anyone please compile suhosin extension for php 5.2.14 TS VC6?
Back to top
Caffeine Addict



Joined: 06 Sep 2010
Posts: 6
Location: England

PostPosted: Fri 29 Oct '10 12:50    Post subject: Compile Request Reply with quote

Could someone compile suhosin extentions for the different versions of php? I have been scouring the internet for three days now and haven't been able to find any precompiled dll extentions for windows php suhosin.

If someone that has the knowledge to do this could they possibley spend some time compiling them and i'll host them on both www.kevandrews.co.uk and on www.zpanel.co.uk. This way thousands of people will have access to suhosin for their windows based installs instantly, which i feel would be great!

Please either post back or e-mail me at kjandrews0@gmail.com to chat if you have the ability to compile this extension for windows php versions 5.2.9 and upwards Smile
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 5105
Location: Germany, Next to Hamburg

PostPosted: Fri 29 Oct '10 15:41    Post subject: Reply with quote

Use PHP 5.3 the suhosin code has been included into the source code.
Back to top
Caffeine Addict



Joined: 06 Sep 2010
Posts: 6
Location: England

PostPosted: Fri 29 Oct '10 16:32    Post subject: Reply with quote

I would but our Zpanel project uses Zend guard to stop people ripping off the main kernal files. Zend Guard only encodes up to 5.2.*.

So pratically speaking we could really do with a 5.2.* version dll made up...

Also i have seen so many posts about people wanting this for php 5.2.*... it would be very helpful for our project at zpanel and help many others secure a multi hosting enviroment...
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 35

PostPosted: Tue 22 Feb '11 1:08    Post subject: Reply with quote

I've managed to compile suhosin for php 5.2 and 5.3 and will edit this post soon with a download link Smile

---

Suhosin v0.9.32.1 for PHP 5.2.17+ and 5.3.5+ VC6 TS & NTS:
Code:
http://www.mediafire.com/file/h8x4i2a6myxkh4n/php_5.2_5.3_vc6_suhosin.zip


---

By the way, Suhosin may break some scripts. In order to prevent that, you should uncomment the following entries and change to the values bellow:

Code:
suhosin.session.encrypt = Off
suhosin.get.max_name_length = 512
suhosin.get.max_totalname_length = 512
suhosin.get.max_value_length = 1024
suhosin.post.max_array_index_length = 256
suhosin.post.max_name_length = 512
suhosin.post.max_totalname_length = 8192
suhosin.post.max_vars = 4096
suhosin.request.max_array_index_length = 256
suhosin.request.max_totalname_length = 8192
suhosin.request.max_vars = 4096
suhosin.request.max_varname_length = 512


Last edited by NewEraCracker on Tue 06 Sep '11 0:34; edited 1 time in total
Back to top
darkangel



Joined: 30 Jan 2010
Posts: 5

PostPosted: Mon 25 Jul '11 19:37    Post subject: Reply with quote

Does anyone know where I can find a VC9 build of Suhosin?
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 35

PostPosted: Thu 28 Jul '11 12:59    Post subject: Reply with quote

I could build it. I have VC9 (2008) installed.

Just gotta download the SDK and the php 5.3 deps from windows.php.net

I'll see what I can do Wink


Last edited by NewEraCracker on Fri 09 Sep '11 14:17; edited 1 time in total
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 5105
Location: Germany, Next to Hamburg

PostPosted: Thu 28 Jul '11 13:42    Post subject: Reply with quote

NewEraCracker wrote:

I'll see what I can do Wink


AFAIK most of the Suhosin patch has been integrated into 5.3. Also the last patch is for PHP 5.1.4 ....
Back to top
darkangel



Joined: 30 Jan 2010
Posts: 5

PostPosted: Thu 28 Jul '11 13:58    Post subject: Reply with quote

NewEraCracker wrote:
I could build it. I have VC9 (2008) installed.

Just gotta download the SDK and the php 5.3 deps from windows.php.net

I'll see what I can do Wink

That's very kind of you, NewEraCracker, but don't worry too much, as I don't really need it anymore. I needed it to test an issue I was having with sessions, but I fixed the problem another way.

Regards,

_da.
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 35

PostPosted: Fri 29 Jul '11 15:02    Post subject: Reply with quote

Suhosin Extension is still cool to protect of typical nullbyte issues and other issues php doesn't have protection built-in.

I'll do this today, just grabbing the sdk Smile

---

Done Very Happy

Suhosin Extension v0.9.32.1 for PHP 5.3.6+ TS VC9

Build cmd:
Code:
configure --disable-all --enable-cli --enable-session --enable-zlib --enable-object-out-dir="." --enable-one-shot --enable-suhosin="shared"


It should work in php 5.3.x official windows.php.net TS VC9 builds.

Code:
http://www.mediafire.com/file/bcesd9ezkt96v66/php_suhosin-0.9.32.1-5.3-ts-vc9.zip
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 35

PostPosted: Tue 06 Sep '11 0:36    Post subject: Reply with quote

I've found some issues with phpmyadmin using suhosin in php

I've updated this post with a more relaxed configuration in order to fix any issues.
Back to top
puertoblack2003



Joined: 31 Jul 2009
Posts: 40

PostPosted: Sat 24 Sep '11 6:32    Post subject: Reply with quote

NewEraCracker wrote:
I've found some issues with phpmyadmin using suhosin in php

I've updated this post with a more relaxed configuration in order to fix any issues.


thanks this is a great security feature for my server.I hope this continues for future updates.
Back to top
rockjock



Joined: 25 Mar 2011
Posts: 8

PostPosted: Tue 28 Feb '12 4:14    Post subject: Reply with quote

Any chance of us getting a 5.3.10-compatible version of this extension?
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1