dsbifvcxr458755493 2014-03-19 00:55
浏览 47
已采纳

fsockopen到用户输入的IP地址 - 安全问题

I'm currently building a website that allows people who own a server for an online video game to better control their server without typing in console commands. In order to do this, the user enters their game server's IP address and port, and my script attempts to make a tcp connection using fsockopen(). It then sends a command (using the source server query protocol) using fwrite and listens for the expected response.

So far the functionality is working beautifully but I'm concerned about allowing an fsockopen connection to literally any address. For security, what could happen if the user has full control over the connecting server? Is there any code execution or other serious concerns I should be aware of?

Thank you very much.

  • 写回答

1条回答 默认 最新

  • douyong6585 2014-03-19 01:05
    关注

    The issue probably is not so much that your server could get compromised, simply reading values off a socket is safe in PHP, unless PHP itself has got a bug.

    I would rather be concerned about arbitrary users being able to connect to any service on the internet. Depending on how you implemented it your machine could be used to send out spam, to help in a DDoS or other kind of attacks.

    So:

    • Disallow certain ports to be entered (Everything < 1024 is a “well known” port)
    • Disallow certain IP ranges (such as 10/8, 127/8)
    • Disallow anything else that cannot be a sane value
    • Rate limit it
    • Keep track of the actions execute in case your machine is used for something malicious
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 武汉岩海低应变分析软件,导数据库里不显示波形图
  • ¥15 CreateBitmapFromWicBitmap内存释放问题。
  • ¥30 win c++ socket
  • ¥15 CanMv K210开发板实现功能
  • ¥15 C# datagridview 栏位进度
  • ¥15 vue3页面el-table页面数据过多
  • ¥100 vue3中融入gRPC-web
  • ¥15 kali环境运行volatility分析android内存文件,缺profile
  • ¥15 写uniapp时遇到的问题
  • ¥15 vs 2008 安装遇到问题