Suhosin (Korean 수호신, meaning guardian-angel, pronounced 'su-ho-shin') is an open source patch for PHP and also a PHP extension, written by the German company Sektion Eins. Patch and extension are two independent parts, that can be used separately or in combination. "The goal behind Suhosin is to be a safety net that protects servers from insecure PHP coding practices."
Suhosin also reduces the "attackable surface" that PHP adds to a Web Server through function whitelists, resource limits, transparent session and cookie encryption, binary content filter, logging and various other protections. This reduces the risk of deploying previously deemed unsafe PHP programs and protects against known and unknown attacks.
While the original patch included several low-level memory-related hardening, those feature aren't present in the modules, but most of them have been upstreamed into php.Cookies encryption: to mitigate XSS-based cookies stealing, the cookies are encrypted, so an attacker could not get their values, and they are tied to the user-agent and part of the IP address of the user, making a stolen cookie unusable by the attacker.
Inclusion protection: Uploaded and remote files can't be included, mitigating arbitrary file inclusion attacks.
Disabling common code execution vectors: the eval keyword isn't a real function in php, thus it can't be disabled with the disable_function directive, but suhosin added this possibility, and also allowing to disable the infamous /e operator for the preg_replace function that can lead to arbitrary code execution.
Protection against infinite recursion: Php has a documented behavior of yielding a segmentation fault error upon infinite recursion. Since this is a memory-safety issue, Suhosin will make the application gracefully exit once a maximum level of recursion has been met.
Granular function white/black-list : the disabled_function directive of php isn't granular at all, suhosin provides a white and black-list mechanism for functions, on a per virtual-host and folder basis.
Black-list against sensitive variable names: Suhosin will drop GET, POST, COOKIE variables with global reserved variable names following names, like GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST,…
File upload hardening: Suhosin supports calling scripts upon file-upload, allowing things like automatic anti-virus scanning upon upload. It can also prevent ELF files, binary files,…
Custom actions upon violation: blocking violating variables, send a specific HTTP response codes, issue a redirection or even execute another PHP script.
Extensive logging: multiple log devices, logging offending filename and the line number, the IP address of the attacker, even behind reverse proxies.
In some Linux distributions, notably Debian in versions up to 6.x ("Squeeze") and Gentoo Linux, it was shipped by default with both patch and extension. Suhosin was removed from Debian as of version 7 (Wheezy) but reappeared in the current development branch.
It is activated by default in Mac OS X Server.
As of PHP 5.4, openSUSE dropped the Suhosin patch, but maintains a port of the Suhosin extension.
FreeBSD 10.1 maintains the Suhosin extension in its ports collection.
Suhosin was first released in 2006, and targeted PHP 5.2.0. The last release of the hardening patch happened a couple of months after the release of the module The last news article on the official website is from 2007, and no activity occurred in the code repository from May 2012 until February 2014. This led some distributions to consider the Suhosin project dead,until some people from the community started to contribute back to it, circa 2014.
In November 2015, the suhosin7 was created, to provide similar hardening features to PHP7 but failed to gain momentum among the community.