Feature List

Engine Protection

  • Protects the internal Zend Engine Memory Manager against bufferoverflows with Canary and SafeUnlink Protection
  • Protects Destructors of Zend Hashtables
  • Protects Destructors of Zend Linked-Lists
  • Protects the PHP core and extensions against format string vulnerabilities
  • Protects against errors in certain libc realpath() implementations

Runtime Protection

  • Protects against different kinds of (Remote-)Include Vulnerabilities
    • disallows overlong filenames
    • disallows Remote URL inclusion (optional: black-/whitelisting)
    • disallows inclusiong of uploaded files
    • protects against ASCIIZ string termination attacks
  • Protects against infinite recursion through a configureabel maximum execution depth
  • Supports per Virtual Host / Directory configureable function black- and whitelists
  • Supports a separated function black- and whitelist for evaluated code
  • Protects against SQL error message disclosure
  • Protects against HTTP Response Splitting Vulnerabilities
  • Protects against scripts manipulating the memory_limit
  • Protects PHP‘s superglobals against extract() and import_request_vars()
  • Adds the functions sha256() and sha256_file() to the PHP core
  • Adds support for CRYPT_BLOWFISH to crypt() on all platforms
  • Adds protection against newline attacks to mail()

Filtering Features

  • Filters ASCIIZ characters from user input
  • Ignores GET, POST, COOKIE variables with the following names:
    • GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
    • _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
    • HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
    • HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
  • Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)
    • Supports a number of variables per request limit
    • Supports a maximum length of variable names [with and without indicies]
    • Supports a maximum length of array indicies
    • Supports a maximum length of variable values
    • Supports a maximum depth of arrays
  • Allows only a configureable number of uploaded files
  • Supports verification of uploaded files through an external script
  • Supports automatic banning of uploaded ELF executables

Logging Features

  • Supports multiple log devices (syslog, SAPI module error log, external logging script)
  • Supports freely configureable syslog facility and priority
  • Supports log device separated selection of alert types to log
  • Alerts contain filename and linenumber that triggered it
  • Alerts contain the IP address of the user triggering it
  • The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)

© Hardened PHP Project