Suhosin: Logging-Probleme

Apache, Lighttpd, nginx, Cherokee
chrisw
Posts: 57
Joined: 2006-07-26 13:21

Suhosin: Logging-Probleme

Post by chrisw » 2008-04-10 11:29

Hallo,

ich habe zur Zeit ziemlich Probleme mit der suhosin-Erweiterung. Sie ist korrekt installiert, und funktioniert soweit auch, allerdings hat das Logging ein paar Macken. Wenn ich in meinem phpbb3-Forum einen Avatar hochladen möchte, bekam ich eine blank-page. Also Binärdatei-Upload in der suhosin.ini erlaubt, und noch einmal versucht. Der Upload an sich hat funktioniert, allerdings beklagt sich das Forum, dass es die Abmessungen des Avatars nicht ermitteln konnte.

Daraufhin habe ich suhosin in den Simulationsmodus geschaltet, der Upload funktionierte allerdings mit selbigem Fehler nicht. Erst, als ich das suhosin-Modul nicht mehr geladen habe, hat der Avatarupload funktioniert. Ich würde jetzt gerne herausfinden, warum suhosin sich da querstellt, allerdings habe ich nicht einen einzigen aussagekräftigen Logeintrag von suhosin. Irgendwo funktioniert da was mit dem Logging nicht.

access.log

Code: Select all

www.domain.tld 111.222.333.444 - - [10/Apr/2008:11:02:53 +0200] "POST /forum/ucp.php?i=profile&mode=avatar HTTP/1.1" 200 2666 "http://www.domain.tld/forum/ucp.php?i=profile&mode=avatar"


error.log (letzter Eintrag, wie man sieht, seitdem nichts mehr)

Code: Select all

[Thu Apr 10 10:41:28 2008] [error] [client 111.222.333.444] PHP Fatal error:  SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration in /var/www/user001/forum/includes/bbcode.php(472) : regexp code on line 472, referer: http://www.domain.tld/forum/viewforum.php?f=9
[Thu Apr 10 10:42:17 2008] [notice] caught SIGTERM, shutting down
[Thu Apr 10 10:42:21 2008] [notice] ModSecurity for Apache 2.1.5 configured
[Thu Apr 10 10:42:21 2008] [notice] suEXEC mechanism enabled
[Thu Apr 10 10:42:22 2008] [notice] Apache configured -- resuming normal operations


Auch in sonstigen Logfiles ist nichts zu finden, ich habe alle durchgesehen.

Suhosin config:

Code: Select all

; configuration for php suhosin module
; extension=suhosin.so


; -----------------------------------------------------------------------------
; This file was taken from Mandriva Linux with their permission
; -----------------------------------------------------------------------------

[suhosin]

; -----------------------------------------------------------------------------
; Logging Options

; Defines what classes of security alerts are logged to the syslog daemon.
; Logging of errors of the class S_MEMORY are always logged to syslog, no
; matter what this configuration says, because a corrupted heap could mean that
; the other logging options will malfunction during the logging process.
suhosin.log.syslog = 511

; Defines the syslog facility that is used when ALERTs are logged to syslog.
suhosin.log.syslog.facility = 9

; Defines the syslog priority that is used when ALERTs are logged to syslog.
suhosin.log.syslog.priority = 5

; Defines what classes of security alerts are logged through the SAPI error log.
suhosin.log.sapi = 511

; Defines what classes of security alerts are logged through the external
; logging.
suhosin.log.script = 0

; Defines what classes of security alerts are logged through the defined PHP
; script.
suhosin.log.phpscript = 0

; Defines the full path to a external logging script. The script is called with
; 2 parameters. The first one is the alert class in string notation and the
; second parameter is the log message. This can be used for example to mail
; failing MySQL queries to your email address, because on a production system
; these things should never happen.
;suhosin.log.script.name =

; Defines the full path to a PHP logging script. The script is called with 2
; variables registered in the current scope: SUHOSIN_ERRORCLASS and
; SUHOSIN_ERROR. The first one is the alert class and the second variable is
; the log message. This can be used for example to mail attempted remote URL
; include attacks to your email address.
;suhosin.log.phpscript.name =

; Undocumented
;suhosin.log.phpscript.is_safe = Off

; When the Hardening-Patch logs an error the log message also contains the IP
; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
; environment variable. With this switch it is possible to change this behavior
; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
; when your PHP server runs behind a reverse proxy.
;suhosin.log.use-x-forwarded-for = Off


System:

Debian Etch amd64
Apache 2.2.3 + mod_security 2.1.5 + php5.2.2-cgi + suexec2 + suhosin-0.9.12

User avatar
rudelgurke
Systemtester
Systemtester
Posts: 407
Joined: 2008-03-12 05:36

Re: Suhosin: Logging-Probleme

Post by rudelgurke » 2008-04-12 06:12

Dürfte wohl folgendes sein:

http://www.hardened-php.net/suhosin/con ... _emodifier

Eventuell die Funktion in der Apache Config explizit ausschalten per <Files ...>

chrisw
Posts: 57
Joined: 2006-07-26 13:21

Re: Suhosin: Logging-Probleme

Post by chrisw » 2008-04-13 16:34

Hmm, welche Funktion den Fehler verursacht, ist mir schon klar... mir gehts nur darum, warum Suhosin keine Logeinträge für die offensichtlich von Suhosin verursachten Blank Pages erzeugt...