Rename default snuffleupagus rules

ff14c751 · ale · b5fde6c6 · ff14c751
Commit ff14c751 authored 2 years ago by ale
--- a/conf/php/snuffleupagus/snuffleupagus.rules
+++ b/conf/php/snuffleupagus/snuffleupagus.rules
@@ -6,35 +6,38 @@
 # Harden the PRNG
 sp.harden_random.enable();
-# Disabled XXE
+# Enable XXE protection
-sp.disable_xxe.enable();
+@condition extension_loaded("xml");
+sp.xxe_protection.enable();
+@end_condition;
 # Global configuration variables
 #sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
 # Globally activate strict mode
-# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
+# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict
 # sp.global_strict.enable();
 # Prevent unserialize-related exploits
-sp.unserialize_hmac.enable();
+# sp.unserialize_hmac.enable();
 # Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
 sp.readonly_exec.enable();
-# Php has a lot of wrappers, most of them aren't usually useful, you should 
+# PHP has a lot of wrappers, most of them aren't usually useful, you should
 # only enable the ones you're using.
-# sp.wrappers_whitelist.list("file,php,phar");
+sp.wrappers_whitelist.list("file,php,phar");
 # Prevent sloppy comparisons.
 # sp.sloppy_comparison.enable();
-# use SameSite on session cookie
+# Use SameSite on session cookie
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
-# Harden the `chmod` function
+# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
-sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+sp.disable_function.function("chmod").param("mode").value("438").drop();
+sp.disable_function.function("chmod").param("mode").value("511").drop();
 # Prevent various `mail`-related vulnerabilities
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
@@ -42,6 +45,13 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\-
 # Since it's now burned, me might as well mitigate it publicly
 sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
+# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
+sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
+# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
+sp.disable_function.function("extract").pos("0").value_r("^_").drop()
+sp.disable_function.function("extract").pos("1").value("0").drop()
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
 # Since we have no way of matching on two parameters at the same time, we're
@@ -49,7 +59,7 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
 # Moreover, there are non-public bypasses that are also using this vector ;)
 sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
-##Prevent various `include`-related vulnerabilities
+# Prevent various `include`-related vulnerabilities
 sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
@@ -61,21 +71,21 @@ sp.disable_function.function("include").drop()
 # Prevent `system`-related injections
 sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
-sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
+sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 # Prevent runtime modification of interesting things
-sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("varname").value("assert.active").drop();
-sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop();
-sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop();
-sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_function.function("ini_set").param("varname").value("include_path").drop();
-sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
+sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop();
-# Detect some backdoors via environnement recon
+# Detect some backdoors via environment recon
-sp.disable_function.function("ini_get").param("var_name").value("allow_url_fopen").drop();
+sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
-sp.disable_function.function("ini_get").param("var_name").value("open_basedir").drop();
+sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
-sp.disable_function.function("ini_get").param("var_name").value_r("suhosin").drop();
+sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
 sp.disable_function.function("function_exists").param("function_name").value("eval").drop();
 sp.disable_function.function("function_exists").param("function_name").value("exec").drop();
 sp.disable_function.function("function_exists").param("function_name").value("system").drop();
@@ -89,34 +99,7 @@ sp.disable_function.function("is_callable").param("var").value("shell_exec").dro
 sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
 sp.disable_function.function("is_callable").param("var").value("passthru").drop();
-# Commenting sqli related stuff to improve performance.
+# Ghetto error-based sqli detection
-# TODO figure out why these functions can't be hooked at startup
-# Ghetto sqli hardening
-# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
-# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
-# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
-# Ghetto sqli detection
 # sp.disable_function.function("mysql_query").ret("FALSE").drop();
 # sp.disable_function.function("mysqli_query").ret("FALSE").drop();
 # sp.disable_function.function("PDO::query").ret("FALSE").drop();
@@ -131,3 +114,8 @@ sp.disable_function.function("curl_setopt").param("option").value("81").drop().a
 # File upload
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+# Logging lockdown
+sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()