store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Oct 25, 2014 8:17 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 28 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Sat Oct 15, 2011 2:51 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 778
Location: Sweden
nobody wrote:
Faris can you out on that by sending us back what you did ?

So after you install suhosin with the defaults enabled you will be ok ?
And how do for example allow after enabling suhosin curl_exec on specific vhosts ?

If you could help out it would be owesome !


+1

I really need to get wordpress sites running without compromising the whole server...


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Sat Oct 15, 2011 9:37 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 10, 2008 9:12 pm
Posts: 508
Location: Southampton, UK
If it is easy enough, I agree +1

_________________
Matt

"Given that God is infinite, and that the universe is also infinite... would you like a toasted teacake?"

about.me/mattauckland
twitter.com/mattauckland


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Sun Oct 16, 2011 8:21 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2088
[WARNING - I've just noticed that the ends of my exclude function lines have been chopped off in this post (ending in $) and are therefore incomplete]

OK, start by adding this to the end of php.ini, after the [Zend] section if you have it there. It isn't strictly defaults - I think I've tightened some things up, and maybe made one or two other things a bit less strict:

Code:
[suhosin]
extension = suhosin.so
; -----------------------------------------------------------------------------
; Logging Options

; Defines what classes of security alerts are logged to the syslog daemon.
; Logging of errors of the class S_MEMORY are always logged to syslog, no
; matter what this configuration says, because a corrupted heap could mean that
; the other logging options will malfunction during the logging process.
;suhosin.log.syslog =

; Defines the syslog facility that is used when ALERTs are logged to syslog.
;suhosin.log.syslog.facility =

; Defines the syslog priority that is used when ALERTs are logged to syslog.
;suhosin.log.syslog.priority =

; Defines what classes of security alerts are logged through the SAPI error log.
;suhosin.log.sapi =

; Defines what classes of security alerts are logged through the external
; logging.
;suhosin.log.script =

; Defines what classes of security alerts are logged through the defined PHP
; script.
;suhosin.log.phpscript = 0

; Defines the full path to a external logging script. The script is called with
; 2 parameters. The first one is the alert class in string notation and the
; second parameter is the log message. This can be used for example to mail
; failing MySQL queries to your email address, because on a production system
; these things should never happen.
;suhosin.log.script.name =

; Defines the full path to a PHP logging script. The script is called with 2
; variables registered in the current scope: SUHOSIN_ERRORCLASS and
; SUHOSIN_ERROR. The first one is the alert class and the second variable is
; the log message. This can be used for example to mail attempted remote URL
; include attacks to your email address.
;suhosin.log.phpscript.name =

; Undocumented
;suhosin.log.phpscript.is_safe = Off

; When the Hardening-Patch logs an error the log message also contains the IP
; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
; environment variable. With this switch it is possible to change this behavior
; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
; when your PHP server runs behind a reverse proxy.
;suhosin.log.use-x-forwarded-for = Off

; -----------------------------------------------------------------------------
; Executor Options

; Defines the maximum stack depth allowed by the executor before it stops the
; script. Without this function an endless recursion in a PHP script could
; crash the PHP executor or trigger the configured memory_limit. A value of
; "0" disables this feature.
;suhosin.executor.max_depth = 0

; Defines how many "../" an include filename needs to contain to be considered
; an attack and stopped. A value of "2" will block "../../etc/passwd", while a
; value of "3" will allow it. Most PHP applications should work flawlessly with
; values "4" or "5". A value of "0" disables this feature.
; FARIS default was 0
suhosin.executor.include.max_traversal = 4

; Comma separated whitelist of URL schemes that are allowed to be included from
; include or require statements. Additionally to URL schemes it is possible to
; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
; specified, then the blacklist is evaluated.
;suhosin.executor.include.whitelist =

; Comma separated blacklist of URL schemes that are not allowed to be included
; from include or require statements. Additionally to URL schemes it is
; possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no
; blacklist and no whitelist is specified all URL schemes are forbidden.
;suhosin.executor.include.blacklist =

; Comma separated whitelist of functions that are allowed to be called. If the
; whitelist is empty the blacklist is evaluated, otherwise calling a function
; not in the whitelist will terminate the script and get logged.
;suhosin.executor.func.whitelist =

; Comma separated blacklist of functions that are not allowed to be called. If
; no whitelist is given, calling a function within the blacklist will terminate
; the script and get logged.
;suhosin.executor.func.blacklist =

;EVERYTHING
suhosin.executor.func.blacklist = dl,exec,leak,passthru,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,pos$
;Allow more
;suhosin.executor.func.blacklist = pfsockopen,popen,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,proc_close,$
;
;Full list other than dl and exec which are needed by 4psa. popen and exec needed by webmail unless modified
;suhosin.executor.func.blacklist = leak,passthru,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setu$


; Comma separated whitelist of functions that are allowed to be called from
; within eval(). If the whitelist is empty the blacklist is evaluated,
; otherwise calling a function not in the whitelist will terminate the script
; and get logged.
;suhosin.executor.eval.whitelist =

; Comma separated blacklist of functions that are not allowed to be called from
; within eval(). If no whitelist is given, calling a function within the
; blacklist will terminate the script and get logged.
;suhosin.executor.eval.blacklist =
; eval() is a very dangerous statement and therefore you might want to disable
; it completely. Deactivating it will however break lots of scripts. Because
; every violation is logged, this allows finding all places where eval() is
; used.
;suhosin.executor.disable_eval = Off

; The /e modifier inside preg_replace() allows code execution. Often it is the
; cause for remote code execution exploits. It is wise to deactivate this
; feature and test where in the application it is used. The developer using the
; /e modifier should be made aware that he should use preg_replace_callback()
; instead.
;suhosin.executor.disable_emodifier = Off

; This flag reactivates symlink() when open_basedir is used, which is disabled
; by default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used
; is actually a security risk.
;suhosin.executor.allow_symlink = Off

; -----------------------------------------------------------------------------
; Misc Options

; If you fear that Suhosin breaks your application, you can activate Suhosin's
; simulation mode with this flag. When Suhosin runs in simulation mode,
; violations are logged as usual, but nothing is blocked or removed from the
; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
;suhosin.simulation = Off
;suhosin.simulation = On

; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
; will overwrite the information Suhosin stores in this slot. When this flag is
; set Suhosin will request 2 Slots and use the second one. This allows working
; correctly with these buggy APC versions.
;suhosin.apc_bug_workaround = Off

; When a SQL Query fails scripts often spit out a bunch of useful information
; for possible attackers. When this configuration directive is turned on, the
; script will silently terminate, after the problem has been logged. (This is
; not yet supported)
;suhosin.sql.bailout_on_error = Off

; This is an experimental feature for shared environments. With this
; configuration option it is possible to specify a prefix that is automatically
; prepended to the database username, whenever a database connection is made.
; (Unless the username starts with the prefix)
;suhosin.sql.user_prefix =

; This is an experimental feature for shared environments. With this
; configuration option it is possible to specify a postfix that is
; automatically appended to the database username, whenever a database
; connection is made. (Unless the username end with the postfix)
;
; With this feature it is possible for shared hosters to disallow customers to
; connect with the usernames of other customers. This feature is experimental,
; because support for PDO and PostgreSQL are not yet implemented.
;suhosin.sql.user_postfix =

; This directive controls if multiple headers are allowed or not in a header()
; call. By default the Hardening-Patch forbids this. (HTTP headers spanning
; multiple lines are still allowed).
;suhosin.multiheader = Off

; This directive controls if the mail() header protection is activated or not
; and to what degree it is activated. The appended table lists the possible
; activation levels.
suhosin.mail.protect = 1

; As long scripts are not running within safe_mode they are free to change the
; memory_limit to whatever value they want. Suhosin changes this fact and
; disallows setting the memory_limit to a value greater than the one the script
; started with, when this option is left at 0. A value greater than 0 means
; that Suhosin will disallows scripts setting the memory_limit to a value above
; this configured hard limit. This is for example usefull if you want to run
; the script normaly with a limit of 16M but image processing scripts may raise
; it to 20M.
;suhosin.memory_limit = 0

; -----------------------------------------------------------------------------
; Transparent Encryption Options

; Flag that decides if the transparent session encryption is activated or not.
;suhosin.session.encrypt = On

; Session data can be encrypted transparently. The encryption key used consists
; of this user defined string (which can be altered by a script via ini_set())
; and optionally the User-Agent, the Document-Root and 0-4 Octects of the
; REMOTE_ADDR.
;suhosin.session.cryptkey =

; Flag that decides if the transparent session encryption key depends on the
; User-Agent field. (When activated this feature transparently adds a little
; bit protection against session fixation/hijacking attacks)
;suhosin.session.cryptua = On

; Flag that decides if the transparent session encryption key depends on the
; Documentroot field.
;suhosin.session.cryptdocroot = On

; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
; encryption key depends on. Keep in mind that this should not be used on sites
; that have visitors from big ISPs, because their IP address often changes
; during a session. But this feature might be interesting for admin interfaces
; or intranets. When used wisely this is a transparent protection against
; session hijacking/fixation.
;suhosin.session.cryptraddr = 0

; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
; session. The difference to suhosin.session.cryptaddr is, that the IP is not
; part of the encryption key, so that the same session can be used for
; different areas with different protection levels on the site.
;suhosin.session.checkraddr = 0

; Flag that decides if the transparent cookie encryption is activated or not.
;suhosin.cookie.encrypt = 0

; Cookies can be encrypted transparently. The encryption key used consists of
; this user defined string and optionally the User-Agent, the Document-Root and
; 0-4 Octects of the REMOTE_ADDR.
;suhosin.cookie.cryptkey =

; Flag that decides if the transparent session encryption key depends on the
; User-Agent field. (When activated this feature transparently adds a little
; bit protection against session fixation/hijacking attacks (if only session
; cookies are allowed))
;suhosin.cookie.cryptua = On

; Flag that decides if the transparent cookie encryption key depends on the
; Documentroot field.
;suhosin.cookie.cryptdocroot = On

; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
; encryption key depends on. Keep in mind that this should not be used on sites
; that have visitors from big ISPs, because their IP address often changes
; during a session. But this feature might be interesting for admin interfaces
; or intranets. When used wisely this is a transparent protection against
; session hijacking/fixation.
;suhosin.cookie.cryptraddr = 0

; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not
; part of the encryption key, so that the same cookie can be used for different
; areas with different protection levels on the site.
;suhosin.cookie.checkraddr = 0


; In case not all cookies are supposed to get encrypted this is a comma
; separated list of cookie names that should get encrypted. All other cookies
; will not get touched.
;suhosin.cookie.cryptlist =

; In case some cookies should not be crypted this is a comma separated list of
; cookies that do not get encrypted. All other cookies will be encrypted.
;suhosin.cookie.plainlist =

; -----------------------------------------------------------------------------
; Filtering Options

; Defines the reaction of Suhosin on a filter violation.
;suhosin.filter.action =

; Defines the maximum depth an array variable may have, when registered through
; the COOKIE.
;suhosin.cookie.max_array_depth = 100

; Defines the maximum length of array indices for variables registered through
; the COOKIE.
;suhosin.cookie.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; the COOKIE. For array variables this is the name in front of the indices.
;suhosin.cookie.max_name_length = 64

; Defines the maximum length of the total variable name when registered through
; the COOKIE. For array variables this includes all indices.
;suhosin.cookie.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through the
; COOKIE.
;suhosin.cookie.max_value_length = 10000

; Defines the maximum number of variables that may be registered through the
; COOKIE. def=100
suhosin.cookie.max_vars = 200

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.cookie.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; the URL
;suhosin.get.max_array_depth = 50

; Defines the maximum length of array indices for variables registered through
; the URL
;suhosin.get.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; the URL. For array variables this is the name in front of the indices.
;suhosin.get.max_name_length = 64

; Defines the maximum length of the total variable name when registered through
; the URL. For array variables this includes all indices.
;suhosin.get.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through the URL.
;suhosin.get.max_value_length = 512

; Defines the maximum number of variables that may be registered through the
; URL.
;suhosin.get.max_vars = 100

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.get.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; a POST request.
;suhosin.post.max_array_depth = 100

; Defines the maximum length of array indices for variables registered through
; a POST request.
;suhosin.post.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; a POST request. For array variables this is the name in front of the indices.
;suhosin.post.max_name_length = 64

; Defines the maximum length of the total variable name when registered through
; a POST request. For array variables this includes all indices.
;suhosin.post.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through a POST
; request.
;suhosin.post.max_value_length = 65000

; Defines the maximum number of variables that may be registered through a POST
; request.
;suhosin.post.max_vars = 200

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.post.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; GET , POST or COOKIE. This setting is also an upper limit for the separate
; GET, POST, COOKIE configuration directives.
;suhosin.request.max_array_depth = 100

; Defines the maximum length of array indices for variables registered through
; GET, POST or COOKIE. This setting is also an upper limit for the separate
; GET, POST, COOKIE configuration directives.
;suhosin.request.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; the COOKIE, the URL or through a POST request. This is the complete name
; string, including all indicies. This setting is also an upper limit for the
; separate GET, POST, COOKIE configuration directives.
;suhosin.request.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through the
; COOKIE, the URL or through a POST request. This setting is also an upper
; limit for the variable origin specific configuration directives.
;suhosin.request.max_value_length = 65000

; Defines the maximum number of variables that may be registered through the
; COOKIE, the URL or through a POST request. This setting is also an upper
; limit for the variable origin specific configuration directives.
;suhosin.request.max_vars = 200

; Defines the maximum name length (excluding possible array indicies) of
; variables that may be registered through the COOKIE, the URL or through a
; POST request. This setting is also an upper limit for the variable origin
; specific configuration directives.
;suhosin.request.max_varname_length = 64

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.request.disallow_nul = 1

; Defines the maximum number of files that may be uploaded with one request.
;suhosin.upload.max_uploads = 25

; When set to On it is not possible to upload ELF executables.
suhosin.upload.disallow_elf = 1

; When set to On it is not possible to upload binary files.
; suhosin.upload.disallow_binary = 0

; When set to On binary content is removed from the uploaded files.
;suhosin.upload.remove_binary = 0

; This defines the full path to a verification script for uploaded files. The
; script gets the temporary filename supplied and has to decide if the upload
; is allowed. A possible application for this is to scan uploaded files for
; viruses. The called script has to write a 1 as first line to standard output
; to allow the upload. Any other value or no output at all will result in the
; file being deleted.
;suhosin.upload.verification_script =

; Specifies the maximum length of the session identifier that is allowed. When
; a longer session identifier is passed a new session identifier will be
; created. This feature is important to fight bufferoverflows in 3rd party
; session handlers.
;suhosin.session.max_id_length = 128

; Undocumented: Controls if suhosin coredumps when the optional suhosin patch
; detects a bufferoverflow, memory corruption or double free. This is only
; for debugging purposes and should not be activated.
;suhosin.coredump = Off

; Undocumented: Controls if the encryption keys specified by the configuration
; are shown in the phpinfo() output or if they are hidden from it
;suhosin.protectkey = 1

; Controls if suhosin loads in stealth mode when it is not the only
; zend_extension (Required for full compatibility with certain encoders
;  that consider open source untrusted. e.g. ionCube, Zend)
;suhosin.stealth = 1

; Controls if suhosin's ini directives are changeable per directory
; because the admin might want to allow some features to be controlable
; by .htaccess and some not. For example the logging capabilities can
; break safemode and open_basedir restrictions when .htaccess support is
; allowed and the admin forgot to fix their values in httpd.conf
; An empty value or a 0 will result in all directives not allowed in
; .htaccess. The string "legcprsum" will allow logging, execution, get,
; post, cookie, request, sql, upload, misc features in .htaccess
;suhosin.perdir = "0"


Now, in your domain's vhost.conf, you can make adjustments to the suhosin settings using php_admin_value, as follows:

Code:
<Directory /home/httpd/vhosts/domains.tld/httpdocs>
php_admin_value suhosin.executor.include.max_traversal "5"
php_admin_value suhosin.post.max_value_length "95000"
php_admin_value suhosin.post.max_vars "400"
php_admin_value suhosin.executor.func.blacklist "dl,leak,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source"
</Directory>


(someone is probably going to say using php_admin_value is the wrong way to do it and that this option becomes global or something. Wasn't there some change in PHP in this respect at some point? I can't remember!)

Anyway, as you can see in the last line, I'm redefining the blacklist to be the set of functions I want blacklisted on this domain, and therefore you'd exclude the things you want to enable.

The other changes that you'll see in my example were needed for this particular site.

Essentially you'll see any issues that suhosin blocks in your /var/log/messages and you can then decide if you need to make adjustments.

Note that suhosin has a "log only" mode (suhosin.simulation) which you might want to try running for a week, where it will log any issue but not block. Once you are satisfied everything is OK, disable log-only.

Note that there are two elements/types of suhosin. Either you can build a kernel patch (which I do not do) or you can just use the php plugin (which is what wer are talking about here).

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Last edited by faris on Tue Jan 31, 2012 7:10 am, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Sun Oct 16, 2011 8:24 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2088
Also note that my "EVERYTHING" blacklist function list is not actually everything, I don't think.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Sun Oct 16, 2011 10:58 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 778
Location: Sweden
Thanks a bunch! Will try it out ASAP!


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Sun Oct 16, 2011 3:46 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
Instead of appending Suhosin configuration to /etc/php.ini I'd put it in something like /etc/php.d/suhosin.ini.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Sun Oct 16, 2011 4:53 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2088
Great idea Breun!

Incidentally, just in case it trips anyone up, remember to change /home/httpd/vhosts to /var/www/vhosts in the vhost.conf if that's what your directory structure is.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Sun Oct 16, 2011 4:55 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
Faris you rule !

With that configuration of yours have you tested out against the usual cms systems such as joomla, wordpress, cs-cart etc and it worked fine without problems ?

If you put this line doesn't it override ASL ?
Quote:
php_admin_value suhosin.executor.func.blacklist "dl,leak,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source"
</Directory>


breun wrote:
Instead of appending Suhosin configuration to /etc/php.ini I'd put it in something like /etc/php.d/suhosin.ini.

+1

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Mon Oct 17, 2011 6:19 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
Ok. I found a problem. Roundcube wont play along with suhosin.

First of all I found out it needs this option in order to authenticate.
suhosin.session.encrypt Off

But afterwards I couldn't send mail.

I removed it until I figure out what happens. If I manage to figure out :P

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Mon Oct 17, 2011 6:20 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2088
Quote:
If you put this line doesn't it override ASL ?


I should have made this clear. If you use suhosin's function blacklist, you should not (or even must not) disable functions via php.ini's normal method. Thus you would not configure ASL to blacklist PHP functions, as all it does is add the functions to the normal php.ini disabled functions list.

ASL will then warn you that you have dangerous functions enabled, even though you do not. I did ask for suhosin disable functions to be parsed by ASL in a feature wishlist I posted at some point in the distant past, but it has not been implemented as far as I'm aware.

I strongly recommend that you use the log-only option for a week to see that might be triggered, and adjust things as necessary after that. I've not had any problems at all with the settings I've posted with anything at all, other than the one site whose settings I posted. That was a Typo3 site, and a hell of a customised one at that.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Mon Oct 17, 2011 6:23 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2088
Check /var/log/messages for warnings from suhosin. If you don't see any then it isn't suhosin that's causing the email problem.

Most likely roundcube is having similar problems to horde, in that it needs some of those php functions to be enabled in order to send email unless you tell it to use the server's smtp instead of its own. Just a guess, of course! Check the mail log and the apache log too. horde errors appear in the apache log usually, so you might see the problem in there rather than in /var/log/messages.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Mon Oct 17, 2011 7:22 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Mar 29, 2009 6:52 pm
Posts: 350
faris wrote:
Check /var/log/messages for warnings from suhosin. If you don't see any then it isn't suhosin that's causing the email problem.

Most likely roundcube is having similar problems to horde, in that it needs some of those php functions to be enabled in order to send email unless you tell it to use the server's smtp instead of its own. Just a guess, of course! Check the mail log and the apache log too. horde errors appear in the apache log usually, so you might see the problem in there rather than in /var/log/messages.


Nope. Before suhosin and after I removed suhosin roundcube works like a charm !

I found the error in /var/log/messages but I cannot understand it yet.

Oct 17 10:07:46 plesk suhosin[19727]: ALERT - Include filename ('then the rest of the email text follows !).

Any ideas ?

_________________
Hello IT.
Phone : Blah Blah ....
Have you tried turning it on and off again ?
Phone : Blah Blah ....
....
I'm sorry, are you from the Past ?!
http://www.youtube.com/watch?v=-E4fm4Wqego


Top
 Profile  
 
 Post subject: Re: WordPress: CURL_EXEC Disabled by ASL?
Unread postPosted: Mon Oct 17, 2011 8:40 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2088
Interesting.

Suhosin includes functions that prevent the php include function from being abused (similar to mod_sec's similar functions)

From the sounds of things Roundcube is doing something interesting here.

Take a look at some of these regarding the session issue:

http://trac.roundcube.net/ticket/1486321
http://www.howtoforge.com/forums/showthread.php?t=38881

I can't seem to find anything regarding the other issue, however.
Could this be something I've switched on, which by default would be off? Try disabling that option.

EDIT: I may be wrong here. I can't find the option that I thought did this.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 28 posts ]  Go to page Previous  1, 2

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group