To do web development, we often do code walk-through, many times, we will check some core features, or often appear the logic of loopholes. Along with the technical team's growth, the crew technology matures. Common fool-type SQL injection vulnerabilities, and XSS vulnerabilities. will be less, but we will also find that some emerging hidden vulnerabilities occasionally emerge. These vulnerabilities are more from developers, to a function, common module function design is insufficient, left the problem. Previously we were able to complete a number of functional modules, and now the requirement is to secure the correct method to complete the module. Next, I'll share some common functional modules that cause vulnerabilities due to design reasons. Next, let's take a look at the file-type feature vulnerability.
Let's take a look at the following code, enter a different directory through the user, contain different files
Copy CodeThe code is as follows:
Read Module name
$mod = Isset ($_get[' m ']) trim ($_get[' m ']): ' Index ';
Filter directory name does not allow to jump to the parent directory
$mod = Str_replace ("..", ".", $mod);
Get the file
$file = "/home/www/blog/". $mod. ". PHP ";
Include file
@include ($file);
This code, may be in many friends to do the program inside have encountered, for the new person, is also very easy to appear such a problem, remember to go through the code encountered, I asked, you this code security can do those?
Answer: 1. To "..." The directory has to be replaced, so the user passed in the module name inside there are: The directory will be replaced.
2. Constructs the splicing file name, has the previous directory limit, has the following extension limit, the inclusion files will be restricted in this directory
Does this piece of code really do directory security detection?
Let's test what happens if $mod pass in this value.
$mod by constructing the mod=...%2f...%2f...%2f...%2fetc%2fpasswd%00, we see that the result will be:
Actually include ("/etc/passwd") file.
how did I get away with my parameter limits?
First:Do the parameter filter type to restrict user input is not a good way, the general rule is: Can do detection, do not replace as long as the detection does not pass, direct pass off! This is one of our principles. Filtering failure conditions, endless, let's take a look at the actual process.
1. Enter ".../.../.../" by replacing ".." with "." After
2. The result is ". /.. /.. /"It's become this.
Friends will say, if I directly replace the space is not good? You can actually replace it in this. But it doesn't mean you'll have to replace them with spaces later. Let me give you another example. For example, someone will replace JavaScript inside the string. The code is as follows:
Copy CodeThe code is as follows:
......
$msg = Str_replace ("javascript", "", $msg);
It appears that JavaScript will not appear, but if you enter: Jjavascriptavascript Replace, the middle one will change to empty. The "J" in front and the back will form a new JavaScript.
Second:Let's see, how we escaped, behind the. PHP restrictions. User input parameters are: "Etc/passwd\0", the characters are very special, after a period of connection, the file name becomes "... etc/passwd\0.php", you print out the variable, or correct. However, a paragraph is inserted into the file read and write operation method, and the after is automatically truncated. Operating system, only read ... etc/passwd file now. "\" will appear in all file system read and write file variables. will be treated equally. This C-language is related to the full tag of a string.
Through the above analysis, we found that when doing file type operation, one does not pay attention will produce big loopholes. And the vulnerability could lead to a range of security issues.
How to do the file class operation?
Here, it is estimated that some people will think about this, when doing file read and write operations, if there are variables in the path, how can I do? Someone would say, can it be replaced? Yes, but this is not a strict replacement and there will be a lot of problems. Also, it is hard to put an end to a friend at first. Doing the right thing, choosing the right method, will eliminate the problem from itself as possible. Here, I suggest: do a whitelist limit on variables.
1. What is the whitelist limit
Copy the Code code as follows:
For example:
$mod = Isset ($_get[' m ']) trim ($_get[' m ']): ' Index '; After reading the module name
MoD variable Value range if it is an enumeration type then:
if (!in_array ($mod, Array (' user ', ' index ', ' Add ', ' edit '))) exit (' Err!!! ');
Fully qualified $mod, only in this array, tough enough!!!!
2. How to do white list restrictions
With the example above, we know that if it is an enumeration type, the values are placed directly into the list, but sometimes this is not enough. We also have another whitelist restriction method. is to limit the range of characters
Copy the Code code as follows:
For example:
$mod = Isset ($_get[' m ']) trim ($_get[' m ']): ' Index '; After reading the module name
I limit to know that $mod is a directory name, for the general site, is the letter plus the number underline.
if (!preg_match ("/^\w+$/", $mod)) exit (' Err!!! ');
The characters can only be: [a-za-z0-9_] these. Good enough!!!
Summary: is not found, white list restriction method, do it is actually very simple, you know that place want what, on the input detection must be those. Moreover, it is not much easier to detect what you know than to replace those unknown characters. OK, first here, the right way to solve the problem, will make the file simple, and more secure!!
http://www.bkjia.com/PHPjc/327917.html www.bkjia.com true http://www.bkjia.com/PHPjc/327917.html techarticle To do web development, we often do code walk-through, many times, we will check some core features, or often appear the logic of loopholes. With the development of the technical team, crew Technology Day ...