Suhosin 0.9.21 - XSS Protection

Friday, November 30. 2007

It has been a very long time since the last Suhosin extension has been released, but today this has changed with the release of Suhosin 0.9.21. Among the changes are two new features that will protect applications that put too much trust into the SERVER variables from several XSS (and SQL injection) attacks. These features are suhosin.server.strip and suhosin.server.encode.

suhosin.server.strip

When activated (which is the default) the SERVER variables PHP_SELF, PATH_INFO and PATH_TRANSLATED will be scanned for the characters < > ' " and `. All occurences will be replaced by ? characters. This stops a lot of XSS attacks, because many PHP applications consider these variables not tainted.

suhosin.server.encode

When activated (which is the default) the SERVER variables REQUEST_URI and QUERY_STRING will be scanned for the characters < > ' " and `. All these characters are usually encoded by the browser before they are sent and therefore many applications consider REQUEST_URI and QUERY_STRING safe. However some browsers like Internet Explorer will not encode these characters which results in lots of XSS vulnerabilities. Suhosin will protect applications that wrongly put too much trust into these variables by URL-encoding them within the variables.

If you have more ideas for simple features that can protect many scripts at once don't hesitate to contact us.

Posted by Stefan Esser in Security, PHP at 16:51

Comments (7)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Trophaeum wrote (Link) ()

i want to have your babies... i was just complaining about the xss issues in PHP_SELF the other day and now this, thank you!

posted on Friday, November 30. 2007

#2 evilghost ()

Stefan, as always, thanks for your efforts.

posted on Friday, November 30. 2007

#3 Gareth Heyes wrote (Link) ()

Great work Stefan!

I always recommend your patch

posted on Friday, November 30. 2007

#4 evilghost ()

I run Ubuntu 6.06 LTS and today I was blessed with a PHP update ( see USN here, http://www.ubuntu.com/usn/usn-549-1 ). As a result compiling Suhosin 0.9.21 and even a clean re-compile of 0.9.20 result in Apache failing to start. Are others experiencing these issues? I had to roll back to suhosin.so from 0.9.20 built prior to the PHP 5.1.2-1ubuntu3.10 update.

Procedures for compiling are comment out mbstring.h in rfc1867.c, phpize, ./configure, make, make install.

Apache processes start but simply bomb. Nothing in error log and no segfaults. strace on Apache doesn't show much either.

posted on Friday, November 30. 2007

#4.1 Alex ()

Same for me with Debian Etch: Apache fails to start with nothing in error log. No problems with 0.9.20 though.

Anyway. I am sure there is a fix - or I am doing something wrong. THX a lot Stefan!!!

posted on Saturday, December 1. 2007

#5 sf wrote (Link) ()

SQL injection? I only use PDO

posted on Saturday, December 1. 2007

#6 THANKS wrote (Link) ()

The PHP community loves you as always. Keep upthe great work, go on seriously, you help a lot of people. Thanks to continue your work since you left the PHP securitiy "Working-Group" -at- php dot net. (Cheq ur c4ptkca)

posted on Monday, December 3. 2007

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:
Standard emoticons like :-) and ;-) are converted to images.

Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.

Calendar