dsbifvcxr458755493 2014-03-19 00:55
浏览 47
已采纳

fsockopen到用户输入的IP地址 - 安全问题

I'm currently building a website that allows people who own a server for an online video game to better control their server without typing in console commands. In order to do this, the user enters their game server's IP address and port, and my script attempts to make a tcp connection using fsockopen(). It then sends a command (using the source server query protocol) using fwrite and listens for the expected response.

So far the functionality is working beautifully but I'm concerned about allowing an fsockopen connection to literally any address. For security, what could happen if the user has full control over the connecting server? Is there any code execution or other serious concerns I should be aware of?

Thank you very much.

  • 写回答

1条回答 默认 最新

  • douyong6585 2014-03-19 01:05
    关注

    The issue probably is not so much that your server could get compromised, simply reading values off a socket is safe in PHP, unless PHP itself has got a bug.

    I would rather be concerned about arbitrary users being able to connect to any service on the internet. Depending on how you implemented it your machine could be used to send out spam, to help in a DDoS or other kind of attacks.

    So:

    • Disallow certain ports to be entered (Everything < 1024 is a “well known” port)
    • Disallow certain IP ranges (such as 10/8, 127/8)
    • Disallow anything else that cannot be a sane value
    • Rate limit it
    • Keep track of the actions execute in case your machine is used for something malicious
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥100 Jenkins自动化部署—悬赏100元
  • ¥15 关于#python#的问题:求帮写python代码
  • ¥20 MATLAB画图图形出现上下震荡的线条
  • ¥15 关于#windows#的问题:怎么用WIN 11系统的电脑 克隆WIN NT3.51-4.0系统的硬盘
  • ¥15 perl MISA分析p3_in脚本出错
  • ¥15 k8s部署jupyterlab,jupyterlab保存不了文件
  • ¥15 ubuntu虚拟机打包apk错误
  • ¥199 rust编程架构设计的方案 有偿
  • ¥15 回答4f系统的像差计算
  • ¥15 java如何提取出pdf里的文字?