[TYPO3-waf] [TYPO3-project-waf] WAF project: brainstorming

[Xavier Perseguers]

Hi,

> On 2010-01-27 09:13:34 +0200, Xavier Perseguers said:
>>> - rule set will be updated as often as necessary
>>
>> I thought of a way to automate this for users that are aware of
>> security, want to do something against attacks but "trust" the updates
>> or are not able to really review updates before applying changes.
>>
>> I thought that some kind of "control panel" in TYPO3 (optional) may be
>> great too, for instance to read some comments about latest update or
>> to gather some statistics.
>
> I thought more of rsync–like updates (or wget updates). We could also
> have rss of latest changes.

Me too. Control panel would be more to have a pretty log. But perhaps it 
would be possible to invoke wget/rsync/... from TYPO3 too, with proper 
open-basedir configuration. I don't really know, that's more a 
brainstorming idea.

> Most of the rules should go to Apache config not to .htaccess because of
> the performance reasons. So automated updates are preferable.

Yes for /etc/apache2/conf.d/modsecurity or something like that.

>> I would add Suhosin as well (optional) as it provides some interesting
>> features too.
>
> This requires PHP recompilation, right? But we can provide settings for
> Suhosin any way.

There's two parts with Suhosin, first is a patch for PHP, second is a 
module for PHP. Debian's package for PHP comes with suhosin patch 
already applied.

> I think there is also another project like Suhosin: "Hardened PHP" or
> something. I did not look into it but it is worth doing so...

I use it for many years. Since PHP is already patched (at least on 
Debian), there is a package for the PHP5 module (php5-suhosin) which is 
much more handy than a few years ago when I had to manually compile all 
those stuff.

Idea would be to provide proper configuration for TYPO3 (I had a bug 
with Flash uploader with Suhosin which I would like to properly handle 
for instance).

-- 
Xavier Perseguers
http://xavier.perseguers.ch/en