Security module for php7 and php8 – Killing bugclasses and virtual-patching the rest!
Snuffleupagus is a PHP 7+ and 8+ module designed to drastically raise the cost of attacks against websites, by killing entire bug classes. It also provides a powerful virtual-patching system, allowing administrator to fix specific vulnerabilities and audit suspicious behaviours without having to touch the PHP code.
- No noticeable performance impact
- Powerful yet simple to write virtual-patching rules
- Killing several classes of vulnerabilities
- Several hardening features
samesiteflag for cookies
- Bundled set of rules to detect post-compromissions behaviours
- Global strict mode and type-juggling prevention
- Whitelisting of stream wrappers
- Preventing writeable files execution
- Whitelist/blacklist for
- Enforcing TLS certificate validation when using curl
- Request dumping capability
- A relatively sane code base:
We’re providing various example rules, that are looking like this:
# Harden the `chmod` function
# Mitigate command injection in `system`
Upon violation of a rule, you should see lines like this in your logs:
[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in /var/www/index.php:2, because the return value (0) of the function 'strpos' matched a rule.