I have installed Suhosin on my dedicated CentOS server. I have about 80 accounts on it, most of them running Joomla or WordPress sites. Some of them are outdated and sitting ducks when it comes to hacking and injection of eval code.
I would like to enable Suhosin’s disable eval function but without breaking the functionality of sites that use eval in a legit way. I went through the documentation and from what I understood, the best scenario was to add this in php.ini:
suhosin.executor.disable_eval = On
suhosin.executor.eval.whitelist =
suhosin.executor.eval.blacklist = include, include_once, require, require_once, curl_init, fpassthru, file, base64_encode, base64_decode, mail, exec, system, proc_open, leak, syslog, pfsockopen, shell_exec, ini_restore, symlink, stream_socket_server, proc_nice, popen, proc_get_status, dl, pcntl_exec, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept, socket_bind, socket_connect, socket_create, socket_create_listen, socket_create_pair, link, register_shutdown_function, register_tick_function
From what I understood reading the documentation, anything that was in the blacklist would be dropped and logged, since the whitelist is empty. But that wasn’t the case. It seems that EVERYTHING was dropped and logged.
Since making a whitelist is next to impossible, I would like to ask if this has to do with my misunderstanding of the configuration or something is not working as supposed to.
Thanks in advance for any assistance.
Set
to
Off
. If it is set toOn
like in you example,eval()
will get disabled completely (and this is what you are seeing in logs).Btw, I don’t think that there is a legit way of using
eval()
in PHP applications. Applications which are really using it should be avoided. I would turn it off completely unless something crashes and then investigate this.Setting
suhosin.executor.disable_eval=On
will disableeval()
entirely.E.g.
eval('anything();')
will be blocked.Setting
suhosin.executor.eval.blacklist
will block only specified functions. E.g.will prevent eval from executing
base64_decode
.eval(‘base64_decode(“…”);’);
Note: Some common PHP code injection attacks use the construct
eval(base64_decode(...))
for obfuscation. In this case,base64_decode()
is executed first by PHP, then the return value is evaluated byeval()
. Havingbase64_decode
listed insuhosin.executor.eval.blacklist
will not prevent this kind of attack. Disabling write-and-executesuhosin.executor.include.allow_writable_files=Off
may be a viable alternative for some automated attacks here.