NBS System’s security team is proud to present Snuffleupagus, its latests open source project for the protection of PHP 7 and beyond. Descendant of Suhosin, Snuffleupagus was created to harden PHP while being easy to use.

PHP & security: a tough context

Effectively securing PHP servers is not easy. Until then, Suhosin was the only solution allowing the hardening of PHP applications, and thus a global securization of servers. Snuffleupagus addresses limitations we met with Suhosin, in our highly industrialized environments like CerberHost.

There are indeed vulnerabilities that even an Web Application Firewall (WAF), easily used in a production context, has trouble addressing. This tool is placed too upstream from the application to allow delicate correction actions.

Some PHP functions are dangerous, such as “popen” which is used by WordPress to send emails. It cannot be blocked at the WAF level, since the latter cannot know where the function is called; it only spots web requests.

The control of dangerous functions must happen directly at the PHP level. For system administrators who handle server deployments daily, it translates to heavy processes and longer periods of integration and acceptance testing.

Snuffleupagus thus aims at resolving this problem while bringing a more fitting response to daily  hosting and managed services issues. Beyond facilitating of the teams’ work, this tool also increases significantly the cost and complexity of potential attacks.

Snuffleupagus, the vulnerability serial killer

Drawn on other researchers‘s advances, Snuffleupagus reinforces PHP by preventing, by default, malicious behaviour such as code execution through file uplaod, or deserialization. It is also useful after a compromission, by making the usage of backdoors a bit more complex.

Snuffleupagus also offers a powerful virtual patching system. It allows the administrator to quickly protect a website and its server against an identified vulnerability, without having to adapt the underlying code or wait for the editor’s patch. As a hosting provider, it enables us to protect several thousand websites with a single configuration line!

 

Do you want to know more?

Snuffleupagus’s creators will present their project during two events dedicated to IT security. They will be:

  • Thursday, October 17 at 9.30AM at Hack.lu, in Luxembourg.
  • Thursday, November 16 at 15h40 at Black Alps, in Switzerland.

You can also visit the Snuffleupagus website, or its Github page

Discover a user feedback with this article from Fr33tux on Toolslib.

Snuffleupagus is currently being tested on some of our CerberHost environments. Do you want to be a part of the adventure?

Lucie Saunois
Lucie Saunois
Passionnée d'informatique, en particulier de sécurité, depuis qu'elle a rejoint l'OT Group en 2015, Lucie se spécialise dans la vulgarisation technique pour permettre à tous d'appréhender ces sujets parfois complexes.