Previous Thread
Next Thread
Print Thread
Rate Thread
7.5.9 suhosin check. #320773
02/02/2015 6:45 AM
02/02/2015 6:45 AM
Joined: Jan 2000
Posts: 240
Lutz,FL,USA
R
Ruben Rocha Offline
Beta Tester
Ruben Rocha  Offline
Beta Tester
R

Joined: Jan 2000
Posts: 240
Lutz,FL,USA
the current release 7.5.9 has:
Code
// suhosin Check by VNC Web Services (http://www.virtualnightclub.net/)
if(extension_loaded("suhosin") && ini_get("suhosin.get.max_value_length")) {
	if(ini_get("suhosin.get.max_value_length") <= 2048) {
		$suhosin = "You may experience issues with a blank configuration file if you continue, please see <a href=\"http://www.ubbwiki.com/article/view/16/issues-with-suhosin.html\" target=\"_blank\">UBB.Wiki: Issues with suhosin</a>; this issue pertains to the settings of the suhosin module with your webhost.  Your current suhousin length is: ". ini_get("suhosin.get.max_value_length") .".";
	} else {
		$suhosin = "";
	}
}

So the way I read it , it only reads
suhosin.get.max_value_length.
if it is less than or equal to 2048 show a warning( add it to $suhosin).
If it is greater than 2048 then the $suhosin value is null.

Now I see Giz has a new enhanced release for this check.

But at ubb I think jake's issue was well founded.
probably the host removed suhosin as was quoted.

I guess I need to build a sandbox with a shared host account for 7.5.9 and +.

Sponsored Links
UBB.Threads Suhosin Check #320776
02/02/2015 6:45 AM
02/02/2015 6:45 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
I've been hard at work on the Suhosin detection and a Suhosin Information display which will give the user data on what setting is recommended, what settings are being used, and what the default data is.

Data for recommendations is utilized as referenced from PHPMyAdmin's doc's (I had to reference a big project).

A bug was also discovered with my initial check and will be updated in the next version (I used equal to or less than, rather than less than, in my test code and didn't get it updated).

If your webhost is running the recommended settings and you're still seeing the warning, you can fix this by editing admin/login.php
Find:
Code
// suhosin Check by VNC Web Services (http://www.virtualnightclub.net/)
if(extension_loaded("suhosin") && ini_get("suhosin.get.max_value_length")) {
	if(ini_get("suhosin.get.max_value_length") <= 2048) {
		$suhosin = "You may experience issues with a blank configuration file if you continue, please see <a href=\"http://www.ubbwiki.com/article/view/16/issues-with-suhosin.html\" target=\"_blank\">UBB.Wiki: Issues with suhosin</a>; this issue pertains to the settings of the suhosin module with your webhost.  Your current suhousin length is: ". ini_get("suhosin.get.max_value_length") .".";
	} else {
		$suhosin = "";
	}
}


Replace With
Code
// suhosin Check by VNC Web Services (http://www.virtualnightclub.net/)
if(extension_loaded("suhosin") && ini_get("suhosin.get.max_value_length")) {
	if(ini_get("suhosin.get.max_value_length") < 2048) {
		$suhosintxt = "You may experience issues with a blank configuration file if you continue. Please see \"<a href=\"http://www.ubbwiki.com/article/view/16/issues-with-suhosin.html\" target=\"_blank\">UBB.Wiki: Issues With Suhosin</a>\". This issue pertains to the settings of the suhosin module with your webhost.";
		$suhosinsize = ini_get("suhosin.get.max_value_length") ;
	} else {
		$suhosintxt = "";
		$suhosinsize = "";
	}
}


The new check that I'm working on will check the following settings:
Quote
suhosin.get.max_value_length < 1024
suhosin.request.max_vars < 2048
suhosin.post.max_vars < 2048


Versus:
Quote
suhosin.get.max_value_length < 2048


For users with Suhosin installed, if you'd be interested in testing the new Suhosin check/info center PLEASE send me a PT or an email james[at]virtualnightclub[dot]net and I'll give you the latest set of coding (you must be running 7.5.8+ in order to use the new code).


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: 7.5.9 suhosin check. [Re: Ruben Rocha] #320777
02/02/2015 7:02 AM
02/02/2015 7:02 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Yeah, as noted in my OP, the check has an error, the equal can be removed in the check.

The check in a future build is enhanced and has a statistics page; you can test it from here. Once testing is done this archive will be removed.

Note that only users who have Suhosin installed need to test the checker; I've tested it all I can with dummy data.

Screen shots would be most appreciated of your display of the Suhosin Information page.


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: 7.5.9 suhosin check. [Re: Gizmo] #320818
02/18/2015 4:28 AM
02/18/2015 4:28 AM
Joined: Jan 2000
Posts: 240
Lutz,FL,USA
R
Ruben Rocha Offline
Beta Tester
Ruben Rocha  Offline
Beta Tester
R

Joined: Jan 2000
Posts: 240
Lutz,FL,USA
Well My suhosin value length is only 512.
I tried the fix you posted above in the 2nd post even though it is only 512 and the message does not appear at all now.

It all looks correct unless there is some phantom cr/lf in the code.

Anyway I will try your new enhanced version next.

Re: 7.5.9 suhosin check. [Re: Gizmo] #320820
02/18/2015 7:57 AM
02/18/2015 7:57 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Hey Ruben; could I convince you to give me FTP access to your site to test this? I can only get so far without having suhosin installed on my server...


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Sponsored Links
Re: 7.5.9 suhosin check. [Re: Gizmo] #320823
02/18/2015 10:11 AM
02/18/2015 10:11 AM
Joined: Jan 2000
Posts: 240
Lutz,FL,USA
R
Ruben Rocha Offline
Beta Tester
Ruben Rocha  Offline
Beta Tester
R

Joined: Jan 2000
Posts: 240
Lutz,FL,USA
Otay!
I did muddyup the login.php file a bit.
I have not tried your new enhanced version.
Check your pm

Re: 7.5.9 suhosin check. [Re: Gizmo] #320824
02/18/2015 11:34 AM
02/18/2015 11:34 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Ok, will try to get a look at it tonight, if not (just found out I have to do a presentation for Trey's school) definitely tomorrow.


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: 7.5.9 suhosin check. [Re: Gizmo] #320825
02/18/2015 12:04 PM
02/18/2015 12:04 PM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Ok, well, one, I love your password... Two, I've installed the full Suhosin script and found a few buggies.

As for your issue, I see you're well under the recommended values; go ahead and login to your forum and click the "Suhosin" link that now displays and let me know if anything is awry.

Last edited by Gizmo; 02/18/2015 12:04 PM.

UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: 7.5.9 suhosin check. [Re: Gizmo] #320826
02/18/2015 12:23 PM
02/18/2015 12:23 PM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
BTW, with the new version, it'll ALWAYS show the warning IF:
suhosin.get.max_value_length < 1024
suhosin.request.max_vars < 2048
suhosin.post.max_vars < 2048

The higher number is good...


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: 7.5.9 suhosin check. [Re: Gizmo] #320829
02/19/2015 4:39 AM
02/19/2015 4:39 AM
Joined: Jan 2000
Posts: 240
Lutz,FL,USA
R
Ruben Rocha Offline
Beta Tester
Ruben Rocha  Offline
Beta Tester
R

Joined: Jan 2000
Posts: 240
Lutz,FL,USA
My wife hates that password I have several similar to that.

looks okay.
But I have some questions/concerns.
First the message is the only indication on how to find the statistics.
And the hyperlink is only obvious when you hover over it.
Might be hard for people to find it.

Second on the statistics page I think it is a little busy with three columns.
Why not just display current and recommended?

Also maybe the colors should be different.
So they reflect a change is needed.
For example
Suhosin Status is green for default then red for current then green again for recommended. HUH???. I mean if suhosin is not installed we should not even be here. But why is it green on the default column and most of the others are red on the default column.

Now since my values are set below all the thresholds.
I don't know what is displayed when say some are met.
But I think the colors should indicate a needs attention like green for good and red for fail.

Anyway for a plus.
I think you went well above and beyond with the documentation and help guides for reference. A very nice touch for people that don't know what each value is for.

Sponsored Links
Re: 7.5.9 suhosin check. [Re: Ruben Rocha] #320831
02/19/2015 8:26 AM
02/19/2015 8:26 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Originally Posted by Ruben Rocha
First the message is the only indication on how to find the statistics.
And the hyperlink is only obvious when you hover over it.
Might be hard for people to find it.
Well, if it's not ON you don't need to get to the statistics page... In fact, if it's not on the statistics page is pretty blank (see below). The link will stand out a lot more once the new CP is done.

Originally Posted by Ruben Rocha
Second on the statistics page I think it is a little busy with three columns.
Why not just display current and recommended?
IMHO, a recommendation and default column are required as this page is meant so that one can alert their host and show the extreme differences in what the default vs recommended value are.

Originally Posted by Ruben Rocha
Also maybe the colors should be different.
So they reflect a change is needed.
For example
Suhosin Status is green for default then red for current then green again for recommended. HUH???. I mean if suhosin is not installed we should not even be here. But why is it green on the default column and most of the others are red on the default column.
Green is commonly good, red is commonly bad, blue is commonly neutral; I really fail to see how it's hard to understand... The colors vary based on what values are where (in fact, so does some of the page text as well). They also will be a lot easier to identify with the new Control Panel changes.

Originally Posted by Ruben Rocha
Now since my values are set below all the thresholds.
I don't know what is displayed when say some are met.
But I think the colors should indicate a needs attention like green for good and red for fail.
as they do; there are three photos attached, one from your site Suhosin on with default vars (7.5.9), one with the Suhosin override on which shows a-ok as far as settings go (pay no attention to the ui of the two images, lol), and one showing what it'd look like disabled.


Attached Files SuHosin On.pngSuHosin Override.pngSuHosin Disabled.png

UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: 7.5.9 suhosin check. [Re: Gizmo] #320832
02/19/2015 9:18 AM
02/19/2015 9:18 AM
Joined: Jan 2000
Posts: 240
Lutz,FL,USA
R
Ruben Rocha Offline
Beta Tester
Ruben Rocha  Offline
Beta Tester
R

Joined: Jan 2000
Posts: 240
Lutz,FL,USA
whatever, I still tend to disagree.
But anyway your second attachment which is supposed to be good values.
Shows suhosin disabled and all the values as unset?????
What the hell does unset mean?

Re: 7.5.9 suhosin check. [Re: Gizmo] #320833
02/19/2015 9:22 AM
02/19/2015 9:22 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
... Values are set, "unset" means they haven't set a value... The key here is that these are settings you report to your host.

Like I said, my server doesn't have Suhosin installed, so test code just tries to load the variables, and as they aren't configured they aren't set; hence "unset". Generally you'd only have one or two of these that'd be unset, the only reason ALL of mine are unset is because the test code is enabled and it's populating the field with the current settings of the server.

I still fail to see whats wrong with "Good" (green), "Bad" (red), "Ignore" (blue).


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: 7.5.9 suhosin check. [Re: Gizmo] #320834
02/19/2015 9:28 AM
02/19/2015 9:28 AM
Joined: Jan 2000
Posts: 240
Lutz,FL,USA
R
Ruben Rocha Offline
Beta Tester
Ruben Rocha  Offline
Beta Tester
R

Joined: Jan 2000
Posts: 240
Lutz,FL,USA
Okay,maybe I will play with the settings to see what happens when they pass.
I just think it is to busy and should just have current and recommended only.
then maybe the colors will be okay for me
You already have urls for each setting that goes to suhosin.org which the details show the defaults.

Chill out just my 2 cents.

Re: 7.5.9 suhosin check. [Re: Gizmo] #320835
02/19/2015 9:32 AM
02/19/2015 9:32 AM
Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
Gizmo Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord
Gizmo  Offline OP

UBB.Dev / UBB.Wiki Owner
Time Lord

Joined: Jan 2000
Posts: 5,941
Portland, OR, USA
I'm really against removing the defaults column, if there are issues with a setting it provides more info to your host (who users will generally be reporting to) about the very small default values; these checks are generally for servers who just installed the module for security and didn't really configure it.

I pretty much designed this system for the admin to screen shot it and provide it to the host, as your host generally wouldn't have admin access to the UBB control panel. Thus, the links to the descriptions of everything wouldn't be passed along with a screenshot. The links are there so the admin can go and see what each variable is for, basically to enhance your argument that the setting should be increased.

The "unset"/blue wording will be very rare to see, outside of test code as when the module is installed via apt/yum or even compiling it manually, it should insert default values for these items.

And no need to "chill out", I'm perfectly fine; I'm just trying to provide details as a knowledgeable person who worked helpdesk and server administration for a webhost for 9 years; what is displayed there is the data I'd want to see vs being bombarded with links to various config options on a site vs just having the data displayed for me would make me want to go and look into the issue...


UBB.Dev - Putting Dev into UBB.threads
Company: VNC Web Services - UBB.threads Scripts and Scripting, Install and Upgrade Services, Site and Server Maintenance.
Forums: A Gardeners Forum, Scouters World, and UGN Security
UBB.Threads: My UBB Themes, UBB.SitemapsJames Corthell
Re: UBB.Threads Suhosin Check [Re: Gizmo] #320836
02/19/2015 9:47 AM
02/19/2015 9:47 AM
Joined: Jan 2000
Posts: 240
Lutz,FL,USA
R
Ruben Rocha Offline
Beta Tester
Ruben Rocha  Offline
Beta Tester
R

Joined: Jan 2000
Posts: 240
Lutz,FL,USA
Okay I just modded one value so it would pass and it looks okay.
current is green and recommended is green.

My opinion would be to make the default column a static normal color , not green,red or blue.
If you want to keep it there.

Making the color red on the default column just makes you think something is wrong with it. When you compare it to the other columns.

Still a great mod, Even if you ignore me. wink

FYI,
I have 4 sites with the same host same plan and I never have had issues with the config file.
But we need to start somewhere to nail it down for the users.

Re: UBB.Threads Suhosin Check [Re: Gizmo] #320840
02/20/2015 3:40 AM
02/20/2015 3:40 AM
Joined: Jan 2000
Posts: 240
Lutz,FL,USA
R
Ruben Rocha Offline
Beta Tester
Ruben Rocha  Offline
Beta Tester
R

Joined: Jan 2000
Posts: 240
Lutz,FL,USA
Okay I looked at this a little more.
Then I suggest a legend for the colors.
And reading your statement
Quote
I'm just trying to provide details as a knowledgeable person who worked helpdesk and server administration for a webhost for 9 years; what is displayed there is the data I'd want to see vs being bombarded with links to various config options on a site vs just having the data displayed for me

For the average Joe dealing with a help desk.
You could get fancy and add a option to email the info to the host. Such as a email button or a text only screen that they can copy and place in a email to the support desk
Due to they probably don't know what most of it means anyway.


Moderated by  Gizmo, isaac 

Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with, and recommend, the following Web Hosts:
· Stable Host
· Blue Host
· Interserver.net
Visit us on Facebook
Member Spotlight
Pilgrim
Pilgrim
NH, USA
Posts: 345
Joined: June 2000
Show All Member Profiles 
Forum Statistics
Forums64
Topics37,456
Posts293,497
Members13,800
Most Online1,498
Mar 17th, 2017
Top Posters(All Time)
AllenAyres 25,587
JoshPet 11,330
Rick 8,373
LK 7,396
Lord Dexter 6,503
Gizmo 5,941
Greg Hard 5,533
Top Posters(30 Days)
isaac 8
Gizmo 3
driv 1
Today's Statistics
Currently Online 960
Topics Created 0
Posts Made 0
Users Online 0
Birthdays 26
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2018 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 7.6.3
(Snapshot build 20180925.dev)
PHP: 5.4.45 DB: MySQLi Page Time: 0.154s Queries: 16 (0.078s) Memory: 3.3887 MB (Peak: 3.6499 MB) Zlib enabled. Server Time: 2018-09-26 11:05:12 UTC