eval() and the like

Hello,

I’m a shared hosting LAMP administrator working on an s2member implementation.

We are running suhoson with restrictions on the eval() construct and related functions restricted in php.ini.

Up to now in the wordpress site build we have had no problem getting along without these very dangerous functions.

However we have experienced some problems with s2member requiring to use this coding style:
Mar 20 13:10:33 ibology suhosin[25056]: ALERT – use of eval is forbidden by configuration
(attacker ‘xx.xx.xx.xx’,
file ‘/xx/xx/xx/wp-content/plugins/s2member/includes/classes/utils-s2o.inc.php’, line 131)

Is there any way to turn off the features that depend on eval()? Is there a patch to apply to the module to remove the dependency on eval()?

I have seen the problem affecting the login sequence, the General Options page, and the Download Options page of the s2member admin screens.

Having experienced first-hand what RATs (PHP rootkits) can do to your site and the ensuing fallout, I do not wish do remove the suhosin layer in order to run s2member. We have other layers of security, ownership and source control, but suhosin layer remains very important in shared hosting environment (the whole point of running suhosin was to remove the attraction of the site to botnets and spammers).

Thanks and Best Regards,
Rich Kucera
Senior Web Applications Admin/Dev
Howard Hughes Medical Institute

Hello Yolanda,

Could you please make sure you have the latest version of s2Member? I believe Jason removed the dependency of eval() in one of the latest releases.

What version do you have currently? The latest version is v130221.

– Eduan

Hello Eduan,

Thank you for your response.

Yes we are running 130221.

From the changelog the eval() issue was last addressed in 130213.

* (s2Member/s2Member Pro) **General Code Cleanup** Removing all unnecessary uses of PHP’s `eval()` function in s2Member’s codebase. These were used to keep repetitive code all in a single line; part of a standard the WebSharks™ development team is now moving away from. Removed in this release to improve readability for developers; and to prevent unnecessary confusion.

# grep “eval(” *
login-customizations.inc.php: eval(“?>”.$code);
tracking-codes.inc.php: eval(“?>” . $code);
# grep “eval (” *
utilities.inc.php: eval (“?>” . trim ($code));
utils-s2o.inc.php: eval (“?>” . trim ($code));
# pwd
…wp-content/plugins/s2member/includes/classes

Hm, only 4 left, great…

However, in the classes directory:
# grep evl *

[A page of deps listed… evl() calls eval() ]

Apparently some UI rendering and “shortcode” looks like.

Can you replace the eval()/evl() dependencies for UI rendering and Shortcode with a lightweight templating engine instead? Or just use simpler template strings where possible:
http://stackoverflow.com/questions/7683133/does-php-have-a-feature-like-pythons-template-strings

Thanks!
Rich Kucera
Senior Web Applications Dev/Admin
Howard Hughes Medical Insitute
kucerar@hhmi.org

In the meantime this suhosin line may help, turn eval back on in order to launch but blacklist some functions that should not be allowed:

suhosin.executor.disable_eval = Off
suhosin.executor.disable_emodifier = On
suhosin.executor.eval.blacklist=include,include_once,require,require_once,curl_init,fpassthru,file,base64_encode,base64_decode,mail,exec,system,proc_open,leak,syslog,pfsockopen,shell_exec,ini_restore,symlink,stream_socket_server,proc_nice,popen,proc_get_status,dl,pcntl_exec,pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept, socket_bind, socket_connect, socket_create, socket_create_listen, socket_create_pair,link,register_shutdown_function,register_tick_function,create_function,passthru,p_open,proc_close,proc_get_status,proc_terminate

Hello Yolanda,

Thanks for sharing the server config. :)

I’ve contacted Jason so that he can go about resolving these last four eval()s if he plans to. :)

– Eduan

He answered me with this:

Regarding eval(), it is a requirement that eval() NOT be disabled by the server configuration. s2Member depends upon eval() for several important things throughout its codebase.

This will continue to be true in he next generation of s2Member as well.

– Eduan

Hi Eduan,

We have enabled eval() but blacklisted the spammers toolbox with the above config. Hopefully s2member will not require the use of the spammers toolbox in the next generation.

Thanks,

Rich
Senior Web Applications Developer