Protect PHP with Suhosin

PHP is popular for scripting Web sites, but its built-in security is weak. Vincent Danen describes the Hardened-PHP project and the new Suhosin project, which offers additional PHP security configurations.

PHP is arguably the most popular scripting language for Web sites. This popularity comes with a price, however, and that is increased attention to various vulnerabilities in PHP itself and in the plethora of Web applications written in PHP. The security features built into PHP are weak, and the language itself is so flexible that not only is it easy to write sloppy and insecure code, but it almost seems to be encouraged. One could make that assumption based on the fact that, over and over again, the same vulnerabilities are found in various applications: SQL injection, cross-site scripting, arbitrary command execution, etc.

Since the built-in PHP safeguards like safe_mode and open_basedir are marginal at best, the Hardened-PHP project came about to build more security and checks into PHP. Originally this was done by creating the Hardened-PHP patch, which required patching and recompiling PHP itself. More recently, the Hardened-PHP project came out with a new project called Suhosin.

Suhosin has two parts; the first part is a patch to PHP that hardens the Zend Engine itself, protecting from possible buffer overflows and related vulnerabilities. The second is the Suhosin extension, a stand-alone module for use with PHP. The two can work together, or the extension alone can be used. For those who do not wish to maintain their own PHP installation and prefer to use the vendor-supplied PHP on their Linux distribution, using the extension provides many security features that are not present in PHP itself.

The extension is easy to install; it can either be installed via PECL or downloaded and compiled:

$ tar xvzf suhosin-0.9.17
$ cd suhosin-0.9.17
$ phpize
$ ./configure
$ make
$ sudo make install

To enable suhosin, add to /etc/php.ini the following:

The default configuration items are sufficient for most people. To tweak the settings, add values to /etc/php.ini. The Web site details the various configuration options that can be used.

With Suhosin, you can enable logging of errors to syslog and/or arbitrary logfiles; create black- and white-lists per virtual host; and filter on GET and POST requests, file uploads, and cookies. You can enable transparent encryption of sessions and cookies, set upper memory limits that cannot be bypassed, and much more. And unlike the original Hardened-PHP patch, Suhosin is binary-compatible with third-party extensions like Zend Optimizer.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About Vincent Danen

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks

Free Newsletters, In your Inbox