Previous Thread
Next Thread
Print Thread
Rate Thread
UBB suhosin Check #320651
01/14/2015 7:13 AM
01/14/2015 7:13 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Title: UBB suhosin Check

Author: Gizmo (James of VNC Web Services)

Requirements: UBB 7.x

Current Version: v0.1

Stock in UBB.Threads 7.5.9


About:
Some hosts with suhosin installed have the value set to the default (512) which can end up with your config.inc.php file set to blank; the below check sits on your admin landing page and displays a warning if this value is below 2048 (as recommended by Mediawiki, so I figure it's a good round number for us as well).

Basically, when we save a page in the CP it will save every value in the CP back to the config file, which can easily go over some configured suhosin values. The below check also will display what the current value is.

We have a writeup at the UBBWiki here with more information.

About suhosin:
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Unlike the PHP Hardening-Patch Suhosin is binary compatible to normal PHP installation, which means it is compatible to 3rd party binary extension like ZendOptimizer.

Install Instructions:
In /admin/login.php Find:
Code
if ($ubbt_admin) {
	$ubbt_admin = unserialize($ubbt_admin);
}


Add Below:
Code
// suhosin Check by VNC Web Services (http://www.virtualnightclub.net/)
if(extension_loaded("suhosin") && ini_get("suhosin.get.max_value_length")) {
	if(ini_get("suhosin.get.max_value_length") <= 2048) {
		$suhosin = "You may experience issues with a blank configuration file if you continue, please see <a href=\"http://www.ubbwiki.com/article/view/16/issues-with-suhosin.html\" target=\"_blank\">UBB.Wiki: Issues with suhosin</a>; this issue pertains to the settings of the suhosin module with your webhost.  Your current suhousin length is: ". ini_get("suhosin.get.max_value_length") .".";
	} else {
		$suhosin = "";
	}
}



In /templates/default/admin/login.tmpl Find:
Code
if ($user['USER_MEMBERSHIP_LEVEL'] == "Administrator") {
echo <<<UBBTPRINT
$open  <br />[<a href="{$config['BASE_URL']}/admin/dotoggleopen.php">$dotoggle</a>]
UBBTPRINT;
}


Add Above:
Code
if($suhosin != "") {
echo <<<UBBTPRINT
<span style="color: #CC0000;">$suhosin</span><br /><br />
UBBTPRINT;
}


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Sponsored Links
Re: UBB suhosin Check [Re: Gizmo] #320652
01/15/2015 6:56 PM
01/15/2015 6:56 PM
Joined: Oct 2010
Posts: 6
wa
B
Bill BB Offline
Lurker
Bill BB  Offline
Lurker
B

Joined: Oct 2010
Posts: 6
wa
Wow.. embarrassed to admit that I didn't know what this was. For any one else, here's the short description.

Quote
Suhosin (pronounced 'su-ho-shin') is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination.

So now my next challenge is to figure out how to find out if my Host vendor has it installed.

Re: UBB suhosin Check [Re: Gizmo] #320653
01/16/2015 2:38 AM
01/16/2015 2:38 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
I expanded on the about section when I got more time (coded while baby was taking a nap, written up while she was eating a snack, lol).

It's generally installed for buffer overflow protection, but is rarely adjusted from the default value of 512, this check reports an error if the value is less than 2048.


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: UBB suhosin Check [Re: Gizmo] #320654
01/16/2015 8:20 AM
01/16/2015 8:20 AM
Joined: Nov 2003
Posts: 331
UK
M
Mark_S Offline

Beta Tester
Mark_S  Offline

Beta Tester
M

Joined: Nov 2003
Posts: 331
UK
Look in your php.ini file

you can use the control panel php info tab on your forums to over see the php info.

Scroll down to the S section and see the suhosin section.

On my set up I had to add

suhosin.post.max_value_length = 2048

into the php.ini file which i located at

/usr/local/lib

on a centos setup.

There were no other suhosin variables listed so it loads the defaults in that case.


Ive not had a problem with the default values but there are plenty of warnings around google if you search that variable so i'm giving it a go.

Attached Files
suhosin.jpg (10 downloads)
Default Settings
suhosin.jpg (8 downloads)
After line added

BOOM 7.6.+ rocks....
Re: UBB suhosin Check [Re: Gizmo] #320655
01/16/2015 8:51 AM
01/16/2015 8:51 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Well, the package that's received from their site has the default of 512, 2048 is more than capable for your config (in fact, this script shows a warning of anything below that value).

MOST users are on shared hosts, which means they generally cannot edit this value (and a lot of fly by night hosts just install things vs messing with their default values).


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Sponsored Links
Re: UBB suhosin Check [Re: Gizmo] #320656
01/16/2015 9:43 AM
01/16/2015 9:43 AM
Joined: Dec 2001
Posts: 84
Issaquah, WA
Bill B Offline
Power User
Bill B  Offline
Power User

Joined: Dec 2001
Posts: 84
Issaquah, WA
Interesting. I'm on a VPS with Webintellects and supposedly have FULL ACCESS to my virtual server. But there is no suhosin listed in the info section.


Bill Barker
Issaquah, Wa
Re: UBB suhosin Check [Re: Bill B] #320657
01/16/2015 10:10 AM
01/16/2015 10:10 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Originally Posted by Bill B
Interesting. I'm on a VPS with Webintellects and supposedly have FULL ACCESS to my virtual server. But there is no suhosin listed in the info section.
If the phpinfo doesn't report suhosin then it shouldn't be installed on your server; every php module loaded should indicate itself in one way or another via phpinfo.


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell

Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with, and recommend, the following Web Hosts:
· Stable Host
· Blue Host
· Interserver.net
Visit us on Facebook
Member Spotlight
Pilgrim
Pilgrim
NH, USA
Posts: 345
Joined: June 2000
Show All Member Profiles 
Forum Statistics
Forums64
Topics37,454
Posts293,496
Members13,800
Most Online1,498
Mar 17th, 2017
Top Posters(All Time)
AllenAyres 25,587
JoshPet 11,330
Rick 8,373
LK 7,396
Lord Dexter 6,503
Gizmo 5,941
Greg Hard 5,533
Top Posters(30 Days)
isaac 7
Gizmo 3
driv 1
Today's Statistics
Currently Online 754
Topics Created 0
Posts Made 0
Users Online 1
Birthdays 23
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2018 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 7.6.3
(Snapshot build 20180915.dev)
Page Time: 0.078s Queries: 16 (0.047s) Memory: 3.2914 MB (Peak: 3.4852 MB) Zlib enabled. Server Time: 2018-09-23 17:47:52 UTC