How can my php script tell if suhosin changed request variables?

356 views Asked by At

I've been testing security for some php scripts and have found that, among other things, suhosin strips away a posted variable that is huge... this is fine and desirable, but I'd like for my script to be able to tell that suhosin changed the request.

Does suhosin leave any fingerprints to indicate that some action was taken -- in a way that the script can detect? I'm guessing it can't trigger something like an E_USER_WARNING, because that would be thrown before the script is running and could catch it. Maybe an environment or special global variable?

I tried a few approaches myself, but didn't see anything... perhaps suhosin needs to be configured to do this? I find the suhosin documentation to be, um, difficult to understand.

2

There are 2 answers

2
hakre On

Yes it does, not fingerprinting, but logging: Suhosin Logging Configuration.

0
Ben On

Suhosin's input filter is designed to filter out potentially dangerous payload, e.g. too big requests, transparently. If a script were able to detect this filter and change its program flow based on this information, it would be much easier for an attacker to circumvent the filter.

As a recommendation, filter limits should be set as strict as possible, but as broad as necessary. Your script is supposed to run without being able to detect Suhosin's presence.