php漏洞_⼗⼤PHP安全漏洞
php 漏洞
Security is not a list of things you do. Security is a way of thinking, a way of looking at things, a way of dealing with the world that says “I don’t know how they’ll do it, but I know they’re going to try to screw me” and then, rather than dissolving into an existential funk, being proactive to prevent the problem.
安全性不是您要做的事情的清单。 安全是⼀种思考⽅式,⼀种看待事物的⽅式,⼀种与世界打交道的⽅式,上⾯写着“我不知道他们会怎么做,但我知道他们会试图欺骗我”然后,主动解决问题,⽽不是解决现有的问题。
But, you can’t buck statistics. Nobody is going to read an article entitled “Coding for Security.” Everyone wants an article with a number in it: “The 8 Most Common PHP Security Attacks and How to Avoid Them”, “23 Things Not to Say to a Super Model”, and “15 Reasons to Avoid Radiation Poisoning.” So, here goes, the “Top 10 PHP Security Vulnerabilities.”
但是,您⽆法反驳统计数据。 没有⼈会阅读标题为“安全编码”的⽂章。 每个⼈都想要⼀篇带有数字的⽂章:“ 8种最常见PHP安全攻击及其防范⽅法”,“对超级模型不屑⼀顾的23件事”和“避免辐射中毒的15个理由”。 因此,这⾥有“⼗⼤PHP安全漏洞”。
SQL注⼊ (SQL Injection)
Number one on the hit list is the SQL injection attack. In this ca, someone enters an SQL fragment (the classic example is a drop databa statement, although there are many possibilities that don’t include deletions which could be just as destructive) as a value in your URL or web form. Never mind now how he knows what your table names are; that’s another problem entirely. You are dealing with an insidious and resourceful foe.
operatingmargin
命中列表上排名第⼀的是SQL注⼊攻击。 在这种情况下,有⼈输⼊⼀个URL或Web表单中的值SQL⽚段(经典⽰例是drop数据库语句,尽管有很多可能性不包括可能具有破坏性的删除操作)。 现在不⽤管他怎么知道您的表名了。 完全是另⼀个问题。 您正在⾯对⼀个阴险⽽机智的敌⼈。四百四病
So, what can you do to avoid this? First and foremost you need to be suspicious of any input you accept from a ur. Believe everyone is nice? Just look at your spou’s family… they’re weird and freaky, some dangerously so.
那么,如何避免这种情况呢? ⾸先,您需要对⽤户接受的任何输⼊保持怀疑。 相信每个⼈都很好吗? 看看配偶的家⼈,他们很奇怪⼜怪异,有些危险。
hideaway
The way to prevent this sort of thing is to u PDO Prepared Statements. I don’t want to go through a full discussion of PDO now. Suffice to say prepared statements parate the data from the instructions. In doing so, it prevents data from being treated as anything other than data. For more info, you might want to check out the article by Timothy Boronczyk.
防⽌这种情况的⽅法是使⽤PDO准备语句。 我现在不想对PDO进⾏完整的讨论。 可以说准备好的语句将数据与指令分开。 这样做可以防⽌将数据视为除数据以外的任何其他数据。 有关更多信息,您可能想看看Timothy Boronczyk的⽂章 。
XSS(跨站点脚本) (XSS (Cross Site Scripting))
Cur the black hearts who thrive on this type of deception. Parents, talk to you children today lest they become evil
XSS’ers!
able诅咒在这种欺骗中壮成长的⿊⼼。 ⽗母,今天就与您的孩⼦交谈,以免他们成为邪恶的XSS'ers!
The esnce of any XSS attack is the injection of code (usually JavaScript code but it can be any client-side code) into the output of your PHP script. This attack is possible when you display input th
at was nt to you, such as you would do with a forum posting for example. The attacker may post JavaScript code in his message that does unspeakable things to your site. Plea don’t make me go into detail; my heart weeps at what the brigands are capable of.
任何XSS攻击的本质都是将代码(通常是JavaScript代码,但可以是任何客户端代码)注⼊PHP脚本的输出中。 当您显⽰发送给您的输⼊时,例如在论坛发布中,您可能会发⽣这种攻击。 攻击者可能在其消息中发布了JavaScript代码,这些代码对您的⽹站造成了难以⾔喻的影响。 请不要让我详细介绍; 我的⼼为这些强盗的能⼒哭泣。
For more information and how to protect yourlf, I suggest reading the fine articles on PHPMaster:
有关更多信息以及如何保护⾃⼰,我建议阅读PHPMaster上的这些精美⽂章:
by George Fekette
George Fekette的
by Toby Osbourn
Toby Osbourn的进⾏
源代码启⽰ (Source Code Revelation)
This one has to do with people being able to e the names and content of files they shouldn’t in the event of a breakdown in Apache’s configuration. Yeah, I dig it, this is unlikely to happen, but it could and it’s fairly easy to protect yourlves,
so why not?
这与⼈们能够看到在Apache配置发⽣故障时不应该看到的⽂件的名称和内容有关。 是的,我发现了,这种情况不太可能发⽣,但是可以并且很容易保护⾃⼰,所以为什么不呢?芮成钢提问奥巴马
We all know that PHP is rver side – you can’t just do a view source to e a script’s code. But if something happens to Apache and all of a sudden your scripts are rved as plain text, people e source code they were never meant to e. Some of that code might list accessible configuration files or have nsitive information like databa credentials.
我们都知道PHP是服务器端的-您不能仅仅通过查看源代码来查看脚本的代码。 但是,如果Apache发⽣故障,并且您的脚本突然以纯⽂本形式提供,⼈们就会看到原本不希望看到的源代码。 其中⼀些代码可能会列出可访问的配置⽂件或具有敏感信息,例如数据库凭据。
The solution centers around how you t up the directory structure for your application. That is, it isn’t so much a problem that bad people can e some code, it’s what code they can e if nsitive files are kept in a public directory. Keep important files out of the publicly-accessible directory to avoid the conquences of this blunder.
该解决⽅案围绕如何设置应⽤程序的⽬录结构展开。 就是说,坏⼈可以看到⼀些代码不是什么问题,如果敏感⽂件保存在公共⽬录中,那就是他们可以看到的代码。 将重要⽂件放在公共可访问⽬录之外,以免造成这种错误。
For more information on this, including a sample of what your directory structure might look like, e . For additional discussion on this topic, e .
有关此的更多信息,包括⽬录结构的⽰例,请参阅 。 有关此主题的其他讨论,请参阅 。
远程⽂件包含 (Remote File Inclusion)
hot windHang on while I try to explain this: remote file inclusion is when remote files get included in your application. Pretty deep, eh? But why is this a problem? Becau the remote file is untrusted. It could have been maliciously modified to contain code you don’t want running in your application.
继续,我尝试解释⼀下:远程⽂件包含是指将远程⽂件包含在应⽤程序中。 很深吧? 但是为什么这是⼀个问题呢? 因为远程⽂件不受信任。 它可能已经被恶意修改以包含您不想在应⽤程序中运⾏的代码。
Suppo you have a situation where your site includes the /script.php. One night, is compromid and the contents of the file is replaced with evil code that will trash your application. Then someone visits your site, you pull in the updated code, and Bam! So how do you stop it?
假设您遇到的情况是,您在上的站点包含库/script.php。 ⼀天晚上, 受到威胁,⽂件内容被恶意代码替换,这将破坏您的应⽤程序。 然后有⼈访问您的站点,您输⼊更新的代码,然后Bam! 那么如何停⽌呢?
Fortunately, fixing this is relatively simple. All you have to do is go to your php.ini and check the ttings on the flags.
幸运的是,解决此问题相对简单。 您所要做的就是转到php.ini并检查这些标志上的设置。
allow_url_fopen – indicates whether external files can be included. The default is to t this to ‘on’ but you want to turn this off.
allow_url_fopen –指⽰是否可以包含外部⽂件。 默认是将其设置为“ on”,但是您要关闭它。
allow_url_include – indicates whether the include(), require(), include_once(), and require_once() functions can reference remote files. The default ts this off, and tting allow_url_fopen off forces this off too.
allow_url_include –指⽰include() , require() , include_once()和require_once()函数是否可以引⽤远程⽂件。 默认设置为关闭,设置allow_url_fopen off也会强制关闭。
会话劫持 (Session Hijacking)
Session hijacking is when a ne’er-do-well steals and u someone el’s ssion ID, which is something like a key to a safe deposit box. When a ssion is t up between a client and a web rver, PHP will store the ssion ID in a cookie on the client side probably called PHPSESSID. Sending the ID with the page request gives you access to the ssion info persisted on the rver (which populates the super global $_SESSION array).
会话劫持是指当有必要进⾏盗窃并使⽤他⼈的会话ID时,这类似于保险箱的钥匙。 当在客户端和Web服务器之间建⽴会话时,PHP会将会话ID存储在客户端的cookie中,该cookie可能称为PHPSESSID。
通过发送带有页⾯请求的ID,您可以访问持久保存在服务器上的会话信息(填充超级全局$_SESSION数组)。
If someone steals a ssion key, is that bad? And the answer is: if you aren’t doing anything important in that ssion then the answer is no. But if you are using that ssion to authenticate a ur, then it would allow some vile person to sign on and get into things. This is particularly bad if the ur is important and has a lot of authority.
如果有⼈窃取了会话密钥,那不好吗? 答案是:如果您在该会话中没有做任何重要的事情,那么答案是否定的。 但是,如果您使⽤该会话对⽤户进⾏⾝份验证,那么它将允许某些邪恶的⼈登录并介⼊其中。 如果⽤户很重要并且具有很多权限,则这特别糟糕。
So how do people steal the ssion IDs and what can decent, God-fearing folk like us do about it?
那么⼈们如何窃取这些会话ID,像我们这样体⾯,敬畏上帝的⼈该如何做呢?
Session IDs are commonly stolen via a XSS attack, so preventing tho is a good thing that yields double benefits. It’s also important to change the ssion ID as often as is practical. This reduces your theft window. From within PHP you can run the ssion_regenerate_id() function to change the ssion ID and notify the client.
会话ID通常是通过XSS攻击窃取的,因此防⽌这些ID是⼀件好事,会带来双重好处。 实际更改会话ID也很重要。 这样可以减少盗窃窗⼝。在PHP中,您可以运⾏ssion_regenerate_id()函数来更改会话ID并通知客户端。
For tho using PHP5.2 and above (you are, aren’t you?), there is a php.ini tting that will prevent JavaScript from being given access to the ssion id (kie.httponly). Or, you can u the function ssion_t_cookie_parms().
对于使⽤PHP5.2和更⾼版本的⽤户(您呢,不是吗?),有⼀个php.ini设置可以防⽌授予JavaScript访问会话ID( kie.httponly )的权限。 或者,您可以使⽤函数ssion_t_cookie_parms() 。mythos
Session IDs can also be vulnerable rver-side if you’re using shared hosting rvices which store ssion information in globally accessible directories, like /tmp. You can block the problem simply by storing your ssion ID in a spot that only
your scripts can access, either on disk or in a databa.
如果您正在使⽤共享托管服务,这些会话ID可能会将会话信息存储在全局可访问的⽬录(例如/tmp ,那么它在服务器端也很容易受到攻击。您可以通过将会话ID存储在只有脚本可以访问的位置(磁盘或数据库中)来简单地阻⽌该问题。
跨站请求伪造 (Cross Site Request Forgery)
Cross Site Request Forgery (CSRF), also known as the Brett Maverick, or Shawn Spencer, Gambit, involves tricking a rather unwitting ur into issuing a request that is, shall we say, not in his best interest. But rather than me going on and on about CSRF attacks, refer to an outstanding example of just what kind of content we have here on PHPMaster: by Martin Psinas.
跨站点请求伪造(CSRF),也称为⽢⽐特(Brambi Maverick)或肖恩·斯潘塞(Shawn Spencer,Gambit),涉及诱使相当不知情的⽤户发出的请求,应该说,不是最符合他的最⼤利益。 但是,除了让我继续讨论CSRF攻击外,还请参考⼀个出⾊的⽰例,说明我们在PHPMaster上的内容类型:Martin Psinas 伪造。
教师节的手抄报⽬录遍历 (Directory Traversal)
This attack, like so many of the others, looks for for a site where the curity is not all that it should be, and when if finds one, it caus files to be accesd that the owner did not plan to make publicly accessible. It’s also known as the ../ (dot, dot, slash) attack, the climbing attack, and the backtracking attack.
像其他许多攻击⼀样,这种攻击正在寻找⼀个安全性不强的站点,如果找到⼀个安全性,它将导致访问⽂件的所有者不打算公开访问该⽂件。 也称为../(点,点,斜线)攻击,攀爬攻击和回溯攻击。
tzbThere are a few ways to protect against this attack. The first is to wish really, really hard that it won’t happen to you. Sometimes wishing on fairies and unicorns will help. Sometimes it doesn’t. The cond is to define what pages can be returned for a given request using whitelisting. Another option is to convert file paths to absolute paths and make sure they’re referencing files in allowed directories.
有⼏种⽅法可以防⽌这种攻击。 ⾸先是要真的⾮常⾮常希望⾃⼰不会发⽣。 有时候,希望仙⼥和独⾓兽会有所帮助。 有时并⾮如此。 第⼆个是使⽤⽩名单定义可以为给定请求返回哪些页⾯。 另⼀种选择是将⽂件路径转换为绝对路径,并确保它们引⽤了允许⽬录中的⽂件。
摘要 (Summary)
wave flagTho are the top 10 issues that, if you aren’t careful to avoid, can allow your PHP application to be breached. Yep, 10. Count them… 1, 2, 3… What? You only counted 8? Okay, maybe 7. Well then that shows you just how easily you can be fooled, and I’m not even one of the bad guys!
如果您不⼩⼼避免这些问题,那么这是⼗⼤问题,它们可能会导致您PHP应⽤程序遭到破坏。 是的,⼗。算⼀下……1、2、3……什么?你只算8个 好吧,也许是7。好吧,那向您展⽰了你多么容易被骗,⽽且我什⾄不是坏⼈之⼀!
Image via
图⽚来⾃
php 漏洞