Do web development, we often do code to check, many times, we will spot some core functions, or often the logic of vulnerabilities. With the expansion of the technical team, the group's technology is increasingly mature. Common fool-type SQL injection vulnerabilities, and XSS vulnerabilities. will be fewer and less, but we will also find that some of the emerging vulnerabilities appear occasionally. These vulnerabilities are more from the developer, to a function, the common module function design is not enough, legacy problems. Previously we were able to complete a number of functional modules, and now require the safe and proper way to complete the module. Next, I'll share some common functional modules that have been compromised due to design reasons. Now, let's look at the file-type feature vulnerability.
Let's take a look at the following code, enter different directories through the user, including different files
<?php
///Read module name
$mod = isset ($_get[' m '])? Trim ($_get[' m ']): ' Index ';
Filter directory name does not allow jumps to the parent directory
$mod = Str_replace ("...", ".", $mod);
Get the file
$file = "/home/www/blog/". $mod. ". PHP ";
Contains file
@include ($file);
This code, may be in a lot of friends to do the program inside have encountered, for new people, it is also very easy to have such a problem, remember to walk into the code, I asked, you this code security can do those?
Answer: 1. To the ".." The directory has to do the substitution, so the user passes in the module name inside has. The catalog will be replaced.
2. Constructs the concatenation file name, has the front directory limit, has the extension limit later, the inclusion document will limit in this directory
Let's test what would be the result if $mod passed in the value.
$mod mod=...%2f...%2f...%2f...%2fetc%2fpasswd%00 through construction, we see the result will be:
Actually include ("/etc/passwd") file.
First: To do parameter filter type to restrict user input is not a good way, the general rule is: can do detection, do not do replacement as long as the test is not passed, direct pass off! This is one of our principles. Filter failure situation, too numerous, we take a look at the actual process.
1, input ".../.../.../" by substituting "." with "." After
2, the result is ".. /.. /.. /"It's become this.
A friend will say, if I directly replace the space is not good? It really can be replaced in this. But it does not mean that you will be replaced with a space in the future. Let me give you the example. For example: Someone replaces JavaScript in a string. The code is as follows:
......
$msg = Str_replace ("javascript", "", $msg);
It doesn't appear to be JavaScript anymore, but if you enter: jjavascriptavascript substitution, it will replace the middle one into empty. The front "J" and the back will form a new JavaScript.
Second: Let's see, how to escape, behind the. PHP restrictions. User input parameters are: "etc/passwd", the character is very special, after a connection, the file name becomes "... etc/passwd.php", you print out the variable time, or correct. However, a paragraph is inserted into the file read and write operation method, the following will be automatically truncated. Operating system, only read ... etc/passwd files. "" will appear in all file system read and write file variables. will be treated equally. This C language is related as a complete token of the string.
Through the above analysis, we found that do file type operation, one does not pay attention to will create a big loophole. And the vulnerability could trigger a series of security issues.
Here, it is estimated that someone will think about this, do file read and write operation, if there are variables in the path, what should I do? Someone would say, is it okay to replace? "Yes", but this method is not very strict, there will be many problems. Also, for the first time to write friends, it is difficult to eliminate. Doing the right thing and choosing the right method will eliminate the problem from itself. Here, I suggest: make white list restrictions for variables.
- What is the white list limit
For example:
$mod = Isset ($_get[' m '])? Trim ($_get[' m ')): ' Index '; ///after reading the module name
MoD variable Value range if it is an enumeration type then:
if (!in_array ($mod, Array (' user ', ' index ', ' Add ', ' edit ')) exit (' Err!!! ');
Fully qualified $mod, only in this array, tough enough!!!!
- How to make the whitelist limit
By just example, we know that if it's an enumeration type, you can just put the value in the list, but sometimes it's not enough. We also have another white list restriction method. is to limit the range of characters
For example:
$mod = Isset ($_get[' m '])? Trim ($_get[' m ')): ' Index '; ///after reading the module name
I limit to know $mod is a directory name, for the general site, is the letter plus digital underline and so on.
if (!preg_match ("/^w+$/", $mod)) exit (' Err!!! ');
The characters can only be: [a-za-z0-9_] these. Tough Enough,!!!.
Summary: is not found, white list limit method, do it in fact very simple, you know what that place, on the input detection must be those. Moreover, it is not much simpler to detect what you know than to replace those unknown characters. OK, first here, the correct way to solve the problem, will make the file simple, and more secure!! Welcome to the Exchange!