Suhosin and disable eval

I have installed Suhosin on my dedicated CentOS server. I have about 80 accounts on it, most of them running Joomla or WordPress sites. Some of them are outdated and sitting ducks when it comes to hacking and injection of eval code.

I would like to enable Suhosin’s disable eval function but without breaking the functionality of sites that use eval in a legit way. I went through the documentation and from what I understood, the best scenario was to add this in php.ini:

Read More
suhosin.executor.disable_eval = On
suhosin.executor.eval.whitelist =
suhosin.executor.eval.blacklist = include, include_once, require, require_once, curl_init, fpassthru, file, base64_encode, base64_decode, mail, exec, system, proc_open, leak, syslog, pfsockopen, shell_exec, ini_restore, symlink, stream_socket_server, proc_nice, popen, proc_get_status, dl, pcntl_exec, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept, socket_bind, socket_connect, socket_create, socket_create_listen, socket_create_pair, link, register_shutdown_function, register_tick_function

From what I understood reading the documentation, anything that was in the blacklist would be dropped and logged, since the whitelist is empty. But that wasn’t the case. It seems that EVERYTHING was dropped and logged.

Since making a whitelist is next to impossible, I would like to ask if this has to do with my misunderstanding of the configuration or something is not working as supposed to.

Thanks in advance for any assistance.

Related posts

Leave a Reply

2 comments

  1. Set

    suhosin.executor.disable_eval
    

    to Off. If it is set to On like in you example, eval() will get disabled completely (and this is what you are seeing in logs).


    Btw, I don’t think that there is a legit way of using eval() in PHP applications. Applications which are really using it should be avoided. I would turn it off completely unless something crashes and then investigate this.

  2. Setting suhosin.executor.disable_eval=On will disable eval() entirely.
    E.g. eval('anything();') will be blocked.

    Setting suhosin.executor.eval.blacklist will block only specified functions. E.g.

    suhosin.executor.eval.blacklist = base64_decode
    

    will prevent eval from executing base64_decode.
    eval(‘base64_decode(“…”);’);

    Note: Some common PHP code injection attacks use the construct eval(base64_decode(...)) for obfuscation. In this case, base64_decode() is executed first by PHP, then the return value is evaluated by eval(). Having base64_decode listed in suhosin.executor.eval.blacklist will not prevent this kind of attack. Disabling write-and-execute suhosin.executor.include.allow_writable_files=Off may be a viable alternative for some automated attacks here.