• suhosin killed my family. also fucked up some session files.

  • Destroyed session files? How come? I don’t have much experience with suhosin as it wasn’t me who put it on the server!

  • yup, apparently there’s a thing called suhosin session encryption that encrypts the actual session files on the server (they’re normally human readable).
    HOWEVER, if you want to start a session with a certain session_id (ex: for swfupload), the session comes back empty. “normal” session_start() works ok.
    it’s a suhosin bug, i think this one: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537788

  • the result being that the system doesn’t recognize you as logged in (or whatever you have stored in that session), because you have an empty session.

  • That sucks…

  • and extremely outdated NT Kernel.

  • Pingback: Project 2061 Techlog » suhosin to [internal web app]: you talk too much()

  • Mat_o

    I had this nasty bug with long forms, but couldn’t solve it until i looked at the apache logs… always thought it was my app that was broken…

    Thank you !

  • Suhosin make my life uggly 3 days, along with some other bugs in the TomatoCart.

    Thank You. For me, it was enough to setup those variables to 300.

    I’ll keep an eye on google bot and suhosin, because google bot now use url parameters and suhosin block the bot from crawling my site pages

  • Sophie

    Likely this was an attack.

    My error message:
    Jul 7 06:01:36 logout suhosin[30460]: ALERT – configured GET variable limit exceeded – dropped variable ‘arrs2[]’ (attacker ‘118.99.29.242’, file ‘/www/example.org/www/index.php’)

    And we see their attack in my apache logs: ( replaced my domain name with example.org )
    /var/log/apache2/other_vhosts_access.log:www.example.org:80 118.99.29.242 – – [07/Jul/2015:06:01:37 +0200] “GET /plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&arrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=85&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=57&arrs2[]=48&arrs2[]=49&arrs2[]=53&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=119&arrs2[]=119&arrs2[]=119&arrs2[]=46&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=46&arrs2[]=99&arrs2[]=111&arrs2[]=109&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96 HTTP/1.1” 404 12790 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”

    /var/log/apache2/other_vhosts_access.log:www.example.org:80 118.99.29.242 – – [07/Jul/2015:06:01:37 +0200] “GET /plus/mytag_js.php?aid=19015 HTTP/1.1” 404 10796 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”

    /var/log/apache2/other_vhosts_access.log:www.example.org:80 118.99.29.242 – – [07/Jul/2015:06:01:38 +0200] “GET /plus/mytag_js.php?aid=19015 HTTP/1.1” 404 10796 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”

    /var/log/apache2/other_vhosts_access.log:www.example.org:80 118.99.29.242 – – [07/Jul/2015:06:01:38 +0200] “GET /plus/e7xue.php HTTP/1.1” 404 10769 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • Sophie Loewenthal

    Or SQL injection more likely. Now does increasing your Suhosin values increase or decrease the likelihood of their injection working?

  • Jamie Simon

    Thank you! Two days of debugging frustration solved.

Advertisment ad adsense adlogger