1Features 2======== 3 4Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes 5killers and virtual-patching. The first category provides primitives to kill various 6bug families (like arbitrary code execution via ``unserialize`` for example) or raise the 7cost of exploitation. The second category is a highly configurable system to patch functions in php itself. 8 9Bug classes killed or mitigated 10------------------------------- 11 12``system`` injections 13^^^^^^^^^^^^^^^^^^^^^ 14 15The ``system`` function executes an external program and displays the output. 16It is used to interact with various external tools, like file-format converters. 17Unfortunately, passing user-controlled parameters to it often leads to arbitrary command execution. 18 19 When allowing user-supplied data to be passed to this function, 20 use `escapeshellarg()` or `escapeshellcmd()` to ensure that users cannot trick 21 the system into executing arbitrary commands. 22 23 --- `The PHP documentation about system <https://secure.php.net/manual/en/function.system.php>`_ 24 25We're mitigating it by filtering the ``$``, ``|``, ``;``, `````, ``\n`` and ``&`` chars in our 26default configuration, making it a lot harder for an attacker to inject arbitrary commands. 27This feature is even more effective when used along with :ref:`readonly_exec <readonly-exec-feature>`. 28 29 30Examples of related vulnerabilities 31""""""""""""""""""""""""""""""""""" 32 33- `CVE-2013-3630 <https://www.rapid7.com/db/modules/exploit/multi/http/moodle_cmd_exec>`__: Authenticated remote code execution in Moodle 34- `CVE-2014-1610 <https://www.rapid7.com/db/modules/exploit/multi/http/mediawiki_thumb>`__: Unauthenticated remote code execution in DokuWiki 35- `CVE-2014-4688 <https://www.pfsense.org/security/advisories/pfSense-SA-14_10.webgui.asc>`__: Authenticated remote code execution in pfSense 36- `CVE-2017-7981 <https://tuleap.net/plugins/tracker/?aid=10159>`__: Authenticated remote code execution in Tuleap 37- `CVE-2018-20434 <https://www.exploit-db.com/exploits/47044>`__: Authenticated remote code execution in LibreNMS 38- `CVE-2020-5791 <https://www.tenable.com/security/research/tra-2020-58)>`__: Authenticated remote code execution in Nagios XI 39- `CVE-2020-8813 <https://www.exploit-db.com/exploits/48159>`__: Unauthenticated remote code execution in Cacti 40- Every single `modem/router/switch/IoT/… <https://twitter.com/internetofshit>`_. 41 42 43``mail``-related injections 44^^^^^^^^^^^^^^^^^^^^^^^^^^^ 45 46This vulnerability has been known `since 2011 <http://esec-pentest.sogeti.com/posts/2011/11/03/using-mail-for-remote-code-execution.html>`_ 47and was popularized by `RIPS <https://www.ripstech.com/blog/2016/roundcube-command-execution-via-email/>`_ in 2016. 48The last flag of the `mail` function can be used to pass various parameters to 49the underlying binary used to send emails; this can lead to an arbitrary file write, 50often meaning an arbitrary code execution. 51 52 The ``additional_parameters`` parameter can be used to pass additional flags 53 as command line options to the program configured to be used when sending mail 54 55 --- `The PHP documentation about mail <https://secure.php.net/manual/en/function.mail.php>`_ 56 57We're killing it by preventing any extra options in ``additional_parameters``. 58This feature is even more effective when used along with :ref:`readonly_exec <readonly-exec-feature>`. 59 60 61Examples of related vulnerabilities 62""""""""""""""""""""""""""""""""""" 63 64- `CVE-2017-7692 <https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html>`_: Authenticated remote code execution in SquirrelMail 65- `CVE-2016-10074 <https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html>`_: remote code execution in SwiftMailer 66- `CVE-2016-10033 <https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html>`_: remote code execution in PHPMailer 67- `CVE-2016-9920 <https://www.ripstech.com/blog/2016/roundcube-command-execution-via-email/>`_: Unauthenticated remote code execution in Roundcube 68- `CVE-2019-???? <https://www.exploit-db.com/exploits/46136>`__: Unauthenticated remote code execution in Horde 69 70.. _cookie-encryption-feature: 71 72Cookie stealing via XSS 73^^^^^^^^^^^^^^^^^^^^^^^ 74 75The goto payload for XSS is often to steal cookies. 76Like *Suhosin*, we are encrypting the cookies with a secret key, 77an environment variable (usually the IP of the user) 78and the user's user-agent. This means that an attacker with an XSS won't be able to use 79the stolen cookie, since he can't spoof the content of the value of the environment 80variable for the user. Please do read the :ref:`documentation about this feature <cookie-encryption-page>` 81if you're planning to use it. 82 83This feature is roughly the same than the `Suhosin one <https://suhosin.org/stories/configuration.html#transparent-encryption-options>`_. 84 85Having a secret server-side key will prevent anyone (even the user) 86from reading the content of the cookie, reducing the impact of an application storing sensitive data client-side. 87 88 89 90 91.. _fileupload-feature: 92 93Remote code execution via file-upload 94^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 95 96Some PHP applications allows users to upload content like avatars to a forum. 97Unfortunately, content validation often isn't implemented properly (if at all), 98meaning arbitrary file upload often leads to an arbitrary code execution, contrary to the documentation. 99 100 Not validating which file you operate on may mean that users can *access sensitive information* in other directories. 101 102 --- `The PHP documentation about file uploads <https://secure.php.net/manual/en/features.file-upload.common-pitfalls.php>`_ 103 104We're killing it, like Suhosin, by automatically calling a script upon file upload, 105if it returns something else than ``0``, the file will be removed (or stored in a quarantine, 106for further analysis). 107 108We're recommending to use the `vld <https://derickrethans.nl/projects.html#vld>`_ project 109inside the script to ensure the file doesn't contain any valid PHP code, with something like this: 110 111:: 112 113 $ php -d vld.execute=0 -d vld.active=1 -d extension=vld.so $file 114 115 116Examples of related vulnerabilities 117""""""""""""""""""""""""""""""""""" 118 119- `CVE-2017-6090 <https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/>`_: Unauthenticated remote code execution in PhpCollab 120- `EDB-38407 <https://www.exploit-db.com/exploits/38407/>`_: Authenticated remote code execution in GLPI 121- `CVE-2013-5576 <https://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads>`_: Authenticated remote code execution in Joomla 122- `CVE-2019-15813 <https://www.exploit-db.com/exploits/48955>`__: Authenticated remote code execution in Sentrifugo 123- `CVE-2019-17132 <http://karmainsecurity.com/KIS-2019-02>`__: Authenticated remote code execution in vBulletin 124- `CVE-2020-10682 <http://dev.cmsmadesimple.org/bug/view/12275>`__: Authenticated remote code execution in CMS Made Simple 125- `EDB-19154 <https://www.rapid7.com/db/modules/exploit/multi/http/qdpm_upload_exec>`_: Authenticated remote code execution in qdPM 126 127 128.. _unserialize-feature: 129 130Unserialize-related magic 131^^^^^^^^^^^^^^^^^^^^^^^^^ 132 133PHP is able to *serialize* arbitrary objects, to easily store them. 134Unfortunately, as demonstrated by `Stefan Esser <https://twitter.com/i0n1c>`__ in his `Shocking News in PHP Exploitation <https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf>`__ and `Utilizing Code Reuse/ROP in PHP 135Application Exploits <https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf>`__ slides, it is often possible to gain arbitrary code execution upon deserialization 136of user-supplied serialized objects. 137 138 Do not pass untrusted user input to ``unserialize()`` regardless of the options value of allowed_classes. 139 Unserialization can result in code being loaded and executed due to object instantiation and autoloading 140 and a malicious user may be able to exploit this. 141 142 --- `The PHP documentation about serialize <https://secure.php.net/manual/en/function.serialize.php>`_ 143 144We're killing it by exploiting the fact that PHP will discard any garbage found at the end of a serialized object, 145allowing us to simply append a `HMAC <https://en.wikipedia.org/wiki/Hash-based_message_authentication_code>`_ 146at the end of strings generated by the ``serialize``, 147hence guaranteeing that any object deserialized came from the application 148and wasn't tampered with. 149 150We aren't encrypting it, like we do with the cookies, 151allowing this feature to be disabled (or switch into leaning mode) 152without the need to invalidate any data. 153 154.. warning:: 155 156 This feature can't be deployed on websites that already stored serialized 157 objects (ie. in database), since they are missing the HMAC and thus will be detected as 158 an attack. If you're in this situation, you should use this feature with the 159 ``simulation`` mode, and switch it off once you don't have any messages in your 160 logs. 161 162A nice side-effect of this feature is that it will defeat various memory corruption 163issues related to the complexity of ``unserialize``'s implementation, 164and the amount of control if provides to an attacker, like `CVE-2016-9137, 165CVE-2016-9138 <https://bugs.php.net/bug.php?id=73147>`_, `2016-7124 166<https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773 167<https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_. 168 169 170Examples of related vulnerabilities 171""""""""""""""""""""""""""""""""""" 172 173- `CVE-2012-5692 <https://www.rapid7.com/db/modules/exploit/unix/webapp/invision_pboard_unserialize_exec>`_: Unauthenticated remote code execution in IP.Board 174- `CVE-2014-1691 <http://seclists.org/oss-sec/2014/q1/153>`_: Unauthenticated remote code execution in Horde 175- `CVE-2015-7808 <https://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_unserialize>`_: Unauthenticated remote code execution in vBulletin 176- `CVE-2015-8562 <https://www.rapid7.com/db/modules/exploit/multi/http/joomla_http_header_rce>`_: Unauthenticated remote code execution in Joomla 177- `CVE-2016-4010 <http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/>`_: Unauthenticated remote code execution in Magento 178- `CVE-2016-5726 <http://seclists.org/oss-sec/2016/q2/521>`_: Unauthenticated remote code execution in Simple Machines Forums 179- `CVE-2016-???? <https://www.computest.nl/advisories/CT-2016-1110_Observium.txt>`_: Unauthenticated remote code execution in Observium (leading to remote root) 180- `CVE-2017-2641 <http://netanelrub.in/2017/03/20/moodle-remote-code-execution/>`_: Unauthenticated remote code execution in Moodle 181- `CVE-2018-17057 <https://www.exploit-db.com/exploits/46634>`: Unauthenticated remote code execution in LimeSurvey 182- `CVE-2018-19274 <https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution/>`__: Authenticated remote code execution in phpBB 183- `CVE-2019-6340 <https://www.ambionics.io/blog/drupal8-rce>`__: Unauthenticated remote code execution in Drupal 184 185 186.. _harden-rand-feature: 187 188Weak-PRNG via rand/mt_rand 189^^^^^^^^^^^^^^^^^^^^^^^^^^ 190 191The functions ``rand`` and ``mt_rand`` are often used to generate random numbers used 192in sensitive context, like password generation, token creation. 193Unfortunately, as stated in the documentation, the quality of their entropy is low, 194leading to the generation of guessable values. 195 196 This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. 197 198 --- `The PHP documentation about rand <https://secure.php.net/manual/en/function.rand.php>`_ 199 200We're addressing this issue by replacing every call to ``rand`` and ``mt_rand`` with 201a call to the ``random_int``, a `CSPRNG <https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator>`_. 202 203It's worth noting that the PHP documentation contains the following warning: 204 205 ``min`` ``max`` range must be within the range ``getrandmax()``. i.e. ``(max - min) <= getrandmax()``. 206 Otherwise, ``rand()`` may return poor-quality random numbers. 207 208 --- `The PHP documentation about rand <https://secure.php.net/manual/en/function.rand.php>`_ 209 210This is of course addressed as well by the ``harden_rand`` feature. 211 212 213Examples of related vulnerabilities 214""""""""""""""""""""""""""""""""""" 215 216- `CVE-2015-5267 <https://moodle.org/mod/forum/discuss.php?d=320291>`_: Unauthenticated accounts takeover in in Moodle 217- `CVE-2014-9624 <https://www.mantisbt.org/bugs/view.php?id=17984>`_: Captcha bypass in MantisBT 218- `CVE-2014-6412 <https://core.trac.wordpress.org/ticket/28633>`_: Unauthenticated account takeover in Wordpress 219- `CVE-2015-???? <https://hackerone.com/reports/31171>`_: Unauthenticated accounts takeover in Concrete5 220- `CVE-2013-6386 <https://www.drupal.org/SA-CORE-2013-003>`_: Unauthenticated accounts takeover in Drupal 221- `CVE-2010-???? <http://www.sektioneins.com/advisories/advisory-022010-mybb-password-reset-weak-random-numbers-vulnerability.html>`_: Unauthenticated accounts takeover in MyBB 222- `CVE-2008-4102 <https://sektioneins.de/en/advisories/advisory-042008-joomla-weak-random-password-reset-token-vulnerability.html>`_: Unauthenticated accounts takeover in Joomla 223- `CVE-2006-0632 <https://www.cvedetails.com/cve/CVE-2006-0632/>`_: Unauthenticated account takeover in phpBB 224 225.. _xxe-feature: 226 227XXE 228^^^ 229 230Despite the documentation saying nothing about this class of vulnerabilities, 231`XML eXternal Entity <https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing>`_ (XXE) often leads to arbitrary file reading, `SSRF <https://www.owasp.org/index.php/Server_Side_Request_Forgery>`_ and sometimes even arbitrary 232code execution. 233 234XML documents can contain a `Document Type Definition <https://www.w3.org/TR/REC-xml/#sec-prolog-dtd>`_ (DTD), 235enabling definition of XML entities. It is possible to define an (external) entity by a 236URI, that the parser will access and embed its content back into the document 237for further processing. 238 239For example, providing an url like ``file:///etc/passwd`` will read 240the file's content. Since the file is not valid XML, the application 241will spit it out in an error message, thus leaking its content. 242 243We're killing this class of vulnerabilities by calling 244the `libxml_disable_entity_loader <https://secure.php.net/manual/en/function.libxml-disable-entity-loader.php>`_ 245function with its parameter set to ``true`` at startup, 246and then *nop'ing* it, so it won't do anything if ever called again. 247 248 249Examples of related vulnerabilities 250""""""""""""""""""""""""""""""""""" 251 252- `CVE-2015-5161 <https://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.html>`_: Unauthenticated arbitrary file disclosure on Magento 253- `CVE-2014-8790 <https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944>`_: Unauthenticated remote code execution in GetSimple CMS 254- `CVE-2011-4107 <https://www.phpmyadmin.net/security/PMASA-2011-17/>`_: Authenticated local file disclosure in PHPMyAdmin 255 256 257.. _auto-cookie-secure-feature: 258 259Cookie stealing via HTTP MITM 260^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 261 262While it's possible to set the ``secure`` flag on cookies to prevent them from being 263transmitted over HTTP, and only allow its transmission over HTTPS. 264Snuffleupagus can automatically set this flag if the client is accessing the 265website over a secure connection. 266 267This behaviour is suggested in the documentation: 268 269 On the server-side, it's on the programmer to send this kind of cookie only 270 on secure connection (e.g. with respect to ``$_SERVER["HTTPS"]``). 271 272 --- `The PHP documentation about setcookie <https://secure.php.net/manual/en/function.setcookie.php>`_ 273 274 275Exploitation, post-exploitation and general hardening 276----------------------------------------------------- 277 278 279.. _virtual-patching-feature: 280 281Virtual-patching 282^^^^^^^^^^^^^^^^ 283 284PHP itself exposes a number of functions that might be considered **dangerous** and that have limited legitimate use cases. 285``system()``, ``exec()``, ``dlopen()`` - for example - fall into this category. By default, PHP only allows us to globally disable some functions. 286 287 288However, (ie. ``system()``) they might have legitimate use cases in processes such as self upgrade etc., making it impossible to effectively 289disable them - at the risk of breaking critical features. 290 291Snuffleupagus allows the user to restrict usage of specific functions per file, or per 292file with a matching (sha256) hash, thus allowing the use of such functions **only** in the intended places. 293It can also restrict per `CIDR <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing>`__, 294to restrict execution to users on the LAN for example. There are a *lot* 295of different filters, so make sure to read the :ref:`corresponding documentation <virtual-patching-config>`. 296 297Furthermore, running the `following script <https://github.com/nbs-system/snuffleupagus/blob/master/scripts/generate_rules.php>`_ will generate an hash and line-based whitelist 298of dangerous functions, droping them everywhere else: 299 300 301.. literalinclude:: ../../scripts/generate_rules.php 302 :language: php 303 304 305The intent is to make post-exploitation process (such as backdooring of legitimate code, or RAT usage) a lot harder for the attacker. 306 307 308.. _global-strict-feature: 309 310Global strict mode 311^^^^^^^^^^^^^^^^^^ 312 313By default, PHP will coerce values of the wrong type into the expected one 314if possible. For example, if a function expecting an integer is given a string, 315it will be coerced in an integer. 316 317PHP7 introduced a **strict mode**, in which variables won't be coerced anymore, 318and a `TypeError <https://php.net/manual/en/class.typeerror.php>`_ exception will 319be raised if the types aren't matching. 320`Scalar type declarations <https://secure.php.net/manual/en/migration70.new-features.php#migration70.new-features.scalar-type-declarations>`_ 321are optional, but you don't have to use them in your code to benefit from them, 322since every internal function from php has them. 323 324This option provides a switch to globally activate this strict mode, 325helping to uncover vulnerabilities like the classical 326`strcmp bypass <https://danuxx.blogspot.fr/2013/03/unauthorized-access-bypassing-php-strcmp.html>`_ 327and various other types mismatch. 328 329This feature is largely inspired from the 330`autostrict <https://github.com/krakjoe/autostrict>`_ module from `krakjoe <http://krakjoe.ninja>`__. 331 332PHP8 already has [this feature](https://wiki.php.net/rfc/consistent_type_errors) for internal functions. 333 334 335.. _sloppy-comparisons-feature: 336 337Preventing sloppy comparisons 338^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 339 340The aforementioned :ref:`strict mode <global-strict-feature>` only works with 341annotated types and native functions, so it doesn't cover every instances of 342`type juggling <https://secure.php.net/manual/en/language.types.type-juggling.php>`__ 343during comparisons. Since comparison between different types in PHP is 344`notoriously <https://secure.php.net/manual/en/types.comparisons.php>`__ 345difficult to get right, Snuffleupagus offers a way to **always** use the 346``identical`` operator instead of the ``equal`` one (see the `operator section <https://secure.php.net/manual/en/language.operators.comparison.php>`__ 347for PHP's documentation for more details), so that values with different types 348will always be treated as being different. 349 350Keep in mind that this feature will not only affect the ``==`` operator, 351but also the `in_array 352<https://secure.php.net/manual/en/function.in-array.php>`__, `array_search 353<https://secure.php.net/manual/en/function.array-search.php>`__ and `array_keys 354<https://secure.php.net/manual/en/function.array-keys.php>`__ functions. 355 356PHP8 is implementing [a subset](https://wiki.php.net/rfc/consistent_type_errors) of this feature. 357 358 359.. _readonly-exec-feature: 360 361Preventing execution of writable PHP files 362^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 363 364If an attacker manages to upload an arbitrary file or to modify an existing one, 365odds are that (thanks to the default `umask <https://en.wikipedia.org/wiki/Umask>`_) 366this file is writable by the PHP process. 367 368Snuffleupagus can prevent the execution of this kind of file. A good practice 369would be to use a different user to run PHP than for administrating the website, 370and using this feature to lock this up. 371 372.. _stream-wrapper-whitelist-feature: 373 374Whitelist of stream-wrappers 375^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 376 377Php comes with a `lot of different <https://secure.php.net/manual/en/wrappers.php>`__ 378`stream wrapper <https://secure.php.net/manual/en/intro.stream.php>`__, and most of them 379are enabled by default. 380 381The only way to tighten a bit this exposition surface is to use the 382`allow_url_fopen/allow_url_include <https://secure.php.net/manual/en/features.remote-files.php>`__ 383configuration options, but it's `not possible <https://bugs.php.net/bug.php?id=50715>`__ 384to deactivate them on an individual basis. 385 386Examples of related vulnerabilities 387""""""""""""""""""""""""""""""""""" 388 389- `RCE via phar:// <https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017>`__ 390- `Data exfiltration via stream wrapper <https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/>`__ 391- `Inclusion via zip/phar <https://lightless.me/archives/include-file-from-zip-or-phar.html>`__ 392 393.. _eval-feature: 394 395White and blacklist in ``eval`` 396^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 397 398While `eval <https://secure.php.net/manual/en/function.eval.php>`__ is a 399dangerous primitive, tricky to use right, with almost no legitimate usage 400besides templating and building mathematical expressions based on user input, 401it's broadly (mis)used all around the web. 402 403Snuffleupagus provides a white and blacklist mechanism, to explicitly allow 404and forbid specific function calls from being issued inside ``eval``. 405 406While it's heavily recommended to only use the whitelist feature, the blacklist 407one exists because some sysadmins might want to use it to catch automated 408script-kiddies attacks, while being confident that doing so won't break a 409single website. 410 411.. _samesite-feature: 412 413Protection against cross site request forgery 414^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 415 416Cross-site request forgery, sometimes abbreviated as *CSRF*, 417is when unauthorised commands are issued from a user that the application trusts. 418For example, if a user is authenticated on a banking website, 419an other site might present something like 420``<img src="http://mybank.com/transfer?from=user&to=attack&amount=1337EUR">``, 421effectively transferring money from the user's account to the attacker one. 422 423Snuffleupagus can prevent this (in `supported browsers <https://caniuse.com/#search=samesite>`__) 424by setting the `samesite <https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7>`__ 425attribute on cookies. 426 427 428Dumping capabilities 429^^^^^^^^^^^^^^^^^^^^ 430It's possible to apply the ``dump()`` filter to any virtual-patching rule, 431to dump the complete web request, along with the filename and the corresponding 432line number. By using the *right* set of restrictive rules (or by using the 433*overly* restrictives ones in ``simulation`` mode), you might be able 434to gather interesting vulnerabilities used against your website. 435 436Dumps are stored in the folder that you pass to the ``dump()`` filter, 437in files named ``sp_dump.SHA`` with ``SHA`` being the *sha256* of the 438rule that matched. This approach allows to mitigate denial of services attacks 439that could fill up your filesystem. 440 441 442Misc low-hanging fruits in the default configuration file 443^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 444 445Snuffleupagus is shipping with a default configuration file, containing 446various examples and ideas of things that you might want to enable (or not). 447 448Available functions recon 449""""""""""""""""""""""""" 450 451Usually after compromising a website the attacker does some recon 452within its webshell, to check which functions are available to execute arbitrary code. 453Since it's not uncommon for some web-hosts to disable things like ``system`` or ``passthru``, 454or to check if mitigations are enabled, like ``open_basedir``. 455This behaviour can be detected by preventing the execution of functions like ``ini_get`` 456or ``is_callable`` with *suspicious* parameters. 457 458``chmod`` hardening 459""""""""""""""""""" 460 461Some PHP applications are using broad rights when using the ``chmod`` function, 462like the infamous ``chmod(777)`` command, effectively making the file writable by everyone. 463Snuffleupagus is preventing this kind of behaviour by restricting the parameters 464that can be passed to ``chmod``. 465 466Arbitrary file inclusion hardening 467"""""""""""""""""""""""""""""""""" 468 469Arbitrary file inclusion is a common vulnerability, that might be detected 470by preventing the inclusion of anything that doesn't match a strict set 471of file extensions in calls to ``include`` or ``require``. 472 473 474Enforcing certificate validation when using curl 475"""""""""""""""""""""""""""""""""""""""""""""""" 476 477While it might be convenient to disable certificate validation on preproduction 478or during tests, it's `common <https://twitter.com/CiPHPerCoder/status/1056974646363516928>`__ 479to see that people are disabling it on production too. 480We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and 481``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``. 482 483*Cheap* SQL injections detection 484"""""""""""""""""""""""""""""""" 485 486In some SQL injections, attackers might need to use comments, a feature that is 487often not used in production system, so it might be a good idea to filter 488queries that contains some. The same filtering idea can be used against 489SQL functions that are frequently used in SQL injections, like ``sleep``, ``benchmark`` 490or strings like ``version_info``. 491 492On the topic of SQL injections, if a function performing a query returns ``FALSE`` 493(indicating an error), it might be useful to dump the request for further analysis. 494 495