(08-22-2018, 06:41 AM)TGates Wrote: After a quick read through, Snuffleupagus looks to be promising if Suhosin doesn't come around. I didn't get to check on all of the functions it blocks, but that shouldn't be too hard to sort out.
The list of functions looks to be extensive, including an out-of-the-box config (or "rule") file that doesn't allow Sentora Panel to run without some tweaking...
...and you might ask why I have it running for the panel when Suhosin was only configured to be loaded up for vhost user sites and not the main Sentora panel... or at least that what I think happens with Suhosin but correct me if I'm wrong. The main problem I have found with Snuffleupagus is that if it is configured to run for vhosts, and I open a page of one of my vhosts, the panel then won't run for 30 secs or so. In short, Snuffleupagus is bound into PHP and if the vhosts are set to run with a valid rules file but Sentora doesn't, the vhost rules seem to still run when loading the Sentora panel. My compromise has been to run PHP with a rules file defined regardless of whether it's Sentora or one of the other vhosts on the server, but without the default rules for theĀ "include-related vulnerabilities" as those seem to break Sentora and I don't think Suhosin ever blocked using any of the "include" functions.
Could be tricky to get it working in the same way Suhosin does but so far it's the only thing that sells itself as a PHP 7 replacement for Suhosin that I can find. Certainly worth playing around with...
Keith.
