It is actually not the first time that Suhosin caught a possible remote code execution vulnerability, but this time it is documented in the public. Yesterday a friend asked me why the uploadprogressmeter extension does not work together with Suhosin. After a while he realised that instead of failing silently he had ALERTs like this in his error log (when you look into the blog of the author you will see that others had similiar problems).

ALERT - canary mismatch on efree() - heap overflow detected

When you see such a message this usually means that some component has done something terribly wrong. Sometimes without Suhosin you would see nothing at all or mysterious crashes, that might only happen under some circumstances because of the memory layout. But in many cases such problems can be used for (remote) code execution exploits. Especially in PHP 5.2 because the new Zend Memory Manager makes exploiting HEAP overflows easier and more stable than the old one. (In previous PHP versions there was the chance that overflows were detected by the system malloc() function, which is due to the new memory manager no longer possible.)

Back to the fileupload extension. I downloaded it and looked into the code (that is luckily short) and indeed it contained a possible remote code execution vulnerability that can be abused by malicious POST fileupload requests.

Suhosin did not only stop this possible code execution exploit but helped ordinary users to detect it in the first place. Once again a dangerous and unknown vulnerability was killed once and for all by the simple use of Suhosin-Patch.