流行的 PHP CMS 的历史安全缺陷?
我正在创建一个 PHP CMS,我希望它能够被公众使用。安全性是一个主要问题,我想学习一些流行的 PHP CMS,如 Wordpress、Joomla、Drupal 等。它们过去有哪些安全缺陷或漏洞,我可以在我的应用程序中避免我可以使用什么策略来避免它们?还有哪些其他问题是我需要关注的,而他们可能不会因为他们从一开始就正确处理而没有面临这些问题?您将包括哪些额外的安全功能或措施,从微小的细节到系统级安全方法? 请尽可能具体。我通常了解大多数常见的攻击媒介,但我想确保涵盖所有基础,所以不要'也不要害怕提及显而易见的事情。假设 PHP 5.2+。
编辑:我正在将其更改为社区 wiki。尽管 Arkh 的出色答案已被接受,但我仍然对更多示例感兴趣(如果您有)。
I'm creating a PHP CMS, one that I hope will be used by the public. Security is a major concern and I'd like to learn from some of the popular PHP CMS's like Wordpress, Joomla, Drupal, etc. What are some security flaws or vulnerabilities that they have they had in the past that I can avoid in my application and what strategies can I use to avoid them? What are other issues that I need to be concerned with that they perhaps didn't face as a vulnerability because they handled it correctly from the start? What additional security features or measures would you include, anything from minute details to system level security approaches? Please be as specific as possible. I'm generally aware of most of the usual attack vectors, but I want to make sure that all the bases are covered, so don't be afraid to mention the obvious as well. Assume PHP 5.2+.
Edit: I'm changing this to a community wiki. Even though Arkh's excellent answer is accepted, I'm still interested in further examples if you have them.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
跨站请求伪造 (CSRF)
描述:
基本思想是诱骗用户访问一个页面,在该页面上,他的浏览器将向您攻击的 CMS 发起 POST 或 GET 请求。
假设您知道 CMS 支持的站点管理员的电子邮件。通过电子邮件给他发送一些有趣的网页,其中包含您想要的任何内容。在此页面中,您使用 CMS 管理面板使用的数据制作一个表单,以创建新的管理员用户。将这些数据发送到网站管理面板,结果会生成网页的隐藏 iframe。
瞧,您已经创建了自己的管理员帐户。
如何防止它:
通常的方法是在所有表单中生成随机的短期(1500 万到小时)随机数。当您的 CMS 收到表单数据时,它首先检查随机数是否正确。如果不是,则不使用该数据。
CMS 示例:
更多信息:
在 wikipedia< /a> 页面和 OWASP 项目。
错误的密码存储
描述:
想象一下您的数据库被黑客攻击并发布在维基解密等网站上。知道您的大部分用户在许多网站上使用相同的登录名和密码,您是否希望它们很容易获得?
不可以。如果您的数据库数据公开,您需要减轻所造成的损失。
如何防止:
为了简化该过程,您可以使用库 phpass 由一些密码大师开发。
CMS 示例:
更多信息:
phpass 页面。
跨站脚本 (XSS)
描述
这些攻击的目标是让您的网站显示一些将由您的合法用户执行的脚本。
你有两种:持久的或不持久的。第一个通常来自用户可以保存的内容,另一个则依赖于发送的请求给出的参数。这是一个非持久性的示例:
现在您的攻击者可以发送类似
http://www.example.com/vulnerable.php?id=的链接
如何防止它
您需要过滤输出到客户端的所有内容。如果您不想让用户,最简单的方法是使用 htmlspecialchars保存任何 html。但是,当你让他们输出 html(无论是他们自己的 html 还是从其他东西(如 bbcode)生成的一些)时,你必须非常小心。下面是一个使用 img 标签的“onerror”事件的旧示例:vBulletin 漏洞。或者您有旧的 Myspace 的 Samy。
CMS 示例:
更多信息:
您可以查看 wikipedia 和 OWASP。 ha.ckers 页面上也有很多 XSS 向量。
邮件标头注入
描述:
邮件标头由 CRLF (
\r\n
) 序列分隔。当您使用某些用户数据发送邮件时(例如将其用于发件人:或收件人:),它们可以注入更多标头。这样,他们就可以从您的服务器发送匿名邮件。如何防止:
过滤您的文件中的所有
\n
、\r
、%0a
和%0d
字符标头。CMS 示例:
更多信息:
维基百科 像往常一样是一个好的开始。
SQL注入
描述:
老经典。当您使用直接用户输入形成 SQL 查询时,就会发生这种情况。如果这个输入是根据需要精心设计的,用户就可以完全按照他的意愿去做。
如何预防:
很简单。不要使用用户输入形成 SQL 查询。使用参数化查询。
考虑任何不是由您自己编码为用户输入的输入,例如来自文件系统、您自己的数据库或 Web 服务。
CMS 示例:
更多信息:
Wikipedia 和 OWASP 在这个主题上有非常好的页面。
HTTP 响应拆分
描述:
与电子邮件标头一样,http 标头由 CLRF 序列分隔。如果您的应用程序使用用户输入来输出标头,他们可以使用它来制作自己的标头。
如何防止:
像电子邮件一样,过滤
\n
、\r
、%0a
和%0d
字符在将其用作标头的一部分之前从用户输入中获取。您还可以urlencode您的标头。CMS 示例:
更多信息:
我会让您猜测一下在哪里可以找到有关此类攻击的大量信息。 OWASP 和 维基百科。
会话劫持
描述:
在这种情况下,攻击者想要使用另一个合法(并且希望经过身份验证)用户的会话。
为此,他可以更改自己的会话 cookie 以匹配受害者的会话 cookie,也可以让受害者使用他(攻击者)自己的会话 id。
如何预防:
这里没有什么是完美的:
- 如果攻击者窃取了受害者的cookie,您可以检查用户会话是否与用户IP匹配。但如果合法用户使用某些经常更改 IP 的代理,这可能会使您的网站变得毫无用处。
- 如果攻击者让用户使用自己的会话 ID,只需使用 session_regenerate_id< /a> 当用户的权限发生变化时(登录、注销、进入网站的管理部分等),更改用户的会话 ID。
CMS 示例:
更多信息:
有关该主题的维基百科页面。
其他
您可以在 OWASP 页面上阅读很多内容。
Cross-Site Request Forgery (CSRF)
Description :
The basic idea is to trick a user to a page where his browser will initiate a POST or GET request to the CMS you attack.
Imagine you know the email of a CMS powered site administrator. Email him some funny webpage with whatever you want in it. In this page, you craft a form with the data used by the admin panel of the CMS to create a new admin user. Send those data to the website admin panel, with the result in a hidden iframe of your webpage.
Voilà, you got your own administrator account made.
How to prevent it :
The usual way is to generate random short-lived (15mn to hour) nonce in all your forms. When your CMS receive a form data, it checks first if the nonce is alright. If not, the data is not used.
CMS examples :
More information :
On the wikipedia page and on the OWASP project.
Bad password storing
Description :
Imagine your database get hacked and published on something like wikileak. Knowing that a big part of your users use the same login and password for a lot of websites, do you want them to be easy to get ?
No. You need to mitigate the damages done if your database datas become public.
How to prevent it :
To ease the process, you can use the library phpass developped by some password guru.
CMS examples :
More information :
The phpass page.
Cross Site Scripting (XSS)
Description
The goal of these attacks, is to make your website display some script which will be executed by your legitimate user.
You have two kind of these : persistent or not. The first one comes usually from something your user can save, the other count on parameters given by a request sent. Here is an example, not persistent :
Now your attacker can just send links like
http://www.example.com/vulnerable.php?id=<script>alert('XSS')</script>
How to prevent it
You need to filter everything you output to the client. The easiest way is to use htmlspecialchars if you don't want to let your user save any html. But, when you let them output html (either their own html or some generated from other things like bbcode) you have to be very careful. Here is an old example using the "onerror" event of the img tag : vBulletin vulnerability. Or you have the old Myspace's Samy.
CMS examples :
More information :
You can check wikipedia and OWASP. You also have a lot of XSS vector on ha.ckers page.
Mail header injection
Description :
Mail headers are separated by the CRLF (
\r\n
) sequence. When you use some user data to send mails (like using it for the From: or To:) they can inject more headers. With this, they can send anonymous mails from your server.How to prevent it :
Filter all the
\n
,\r
,%0a
and%0d
characters in your headers.CMS examples :
More information :
Wikipedia is a good start as usual.
SQL Injection
Description :
The old classic. It happen when you form a SQL query using direct user input. If this input is crafted like needed, a user can do exactly what he want.
How to prevent it :
Simple. Don't form SQL queries with user input. Use parameterized queries.
Consider any input which is not coded by yourself as user input, be it coming from the filesystem, your own database or a webservice for example.
CMS example :
More information :
Wikipedia and OWASP have really good pages on the subject.
Http response splitting
Description :
Like e-mail headers, the http headers are separated by the CLRF sequence. If your application uses user input to output headers, they can use this to craft their own.
How to prevent it :
Like for emails, filter
\n
,\r
,%0a
and%0d
characters from user input before using it as part of a header. You can also urlencode your headers.CMS examples :
More information :
I'll let you guess a little as to where you can find a lot of infos about this kind of attack. OWASP and Wikipedia.
Session hijacking
Description :
In this one, the attacker want to use the session of another legitimate (and hopefully authenticated) user.
For this, he can either change his own session cookie to match the victim's one or he can make the victim use his (the attacker's) own session id.
How to prevent it :
Nothing can be perfect here :
- if the attacker steal the victim's cookie, you can check that the user session matches the user IP. But this can render your site useless if legitimate users use some proxy which change IP often.
- if the attacker makes the user use his own session ID, just use session_regenerate_id to change the session ID of a user when his rights change (login, logout, get in admin part of the website etc.).
CMS examples :
More information :
Wikipedia page on the subject.
Other
You have a lot of things you can read on the OWASP page.
我记得 phpBB 上的一篇相当有趣的文章。自动登录 cookie 包含一个序列化数组,其中包含用户 ID 和加密密码(无盐)。将密码更改为值为 true 的布尔值,您就可以以任何您想要的身份登录。你不喜欢弱类型语言吗?
phpBB 的另一个问题是用于突出显示具有回调的搜索关键字的正则表达式(使用
e 修饰符
),这使您能够执行自己的 PHP 代码 - 例如,系统调用不安全的系统或只是输出配置文件来获取 MySQL 登录名/密码。总结一下这个故事:
md5( "secretpass" ) == true
)。当然,还有我之前已经提到的其他问题。
I remember a rather funny one from phpBB. The autologin cookie contained a serialized array containing a userId and encrypted password (no salt). Change the password to a boolean with value true and you could log in as anyone you wanted to be. Don't you love weaktyped languages?
Another issue that phpBB had was in an regular expression for the highlighting of search keywords that had a callback (with the
e modifier
), which enabled you to execute your own PHP code - for example, system calls on unsecure systems or just output the config file to get the MySQL login/password.So to sum this story up:
md5( "secretpass" ) == true
).And of course there are the other issues already mentioned before me.
我见过 CMS 处理的另一个应用程序级安全问题是页面或功能级访问授权不足。换句话说,通过仅在您有权查看链接时显示链接来设置安全性,但不会完全检查用户帐户是否有权查看页面或在页面上使用该功能。
换句话说,管理员帐户会显示用于转至用户管理页面的链接。但用户管理页面只检查用户是否登录,而不检查用户是否登录和管理。然后,普通用户登录,手动输入管理页面 URI,然后拥有对用户管理页面的完全管理员访问权限,并将其帐户设置为管理员帐户。
您可能会感到惊讶,即使在可以查看用户 CC 数据的购物车应用程序中,我也多次看到类似的情况。
Another application level security issue that I've seen CMSes deal with is insufficiently authorizing page or function level access. In other words, security being set by only showing links when you are authorized to view those links, but not fully checking that the user account is authorized to view the page or use the functionality once they are on the page.
In other words, an admin account has links displayed to go to user management pages. But the user management page only checks that the user is logged in, not that they are logged in and admin. A regular user then logs in, manually types in the admin page URI, then has full admin access to the user management pages and makes their account into an admin account.
You'd be surprised how many times I've seen things like that even in shopping cart applications where user CC data is viewable.
很多人似乎忘记或没有意识到的最大问题是任何人都可以将任何数据发布到您的脚本中,包括 cookie 和会话等。并且不要忘记,仅仅因为用户登录,并不意味着他们可以做任何动作。
例如,如果您有一个处理评论添加/编辑的脚本,您可能会遇到这样的情况:
您能看出问题所在吗?您检查了用户是否已登录,但没有检查用户是否拥有该评论,或者是否能够编辑该评论。这意味着任何登录用户都可以发布评论 ID 和内容并编辑其他人的评论!
向他人提供软件时要记住的另一件事是服务器设置差异很大。发布数据时您可能想要执行此操作,例如:
The biggest one that so many people seem to either forget or not realise is that anyone can post any data to your scripts, including cookies and sessions etc. And don't forget, just because a user is logged in, doesn't mean they can do any action.
For example, if you had a script that handles the adding/editing of a comment, you might have this:
Can you see what's wrong? You checked that the user is logged in, but you didn't check if the user owns the comment, or is able to edit the comment. Which means any logged-in user could post a comment ID and content and edit others' comments!
Another thing to remember when providing software to others is that server set ups vary wildly. When data is posted you may want to do this, for example:
这么多..
这里的许多答案列出了他们记得的特定漏洞或通用的“编写网络应用程序时我担心的事情”,但是如果您想要一份历史上发现的大多数报告漏洞的相当可靠的列表,那么您就不会'没有比搜索国家漏洞数据库更糟糕的
了Joomla 或 Joomla 插件报告了 582 个漏洞,Wordpress 报告了 199 个漏洞,Drupal 报告了 345 个漏洞供您消化。
为了对常见的 webapp 漏洞有一个大致的了解,OWASP 十大项目最近已被评选为已更新,是任何 Web 开发人员的必读之作。
So so many..
A number of answers here are listing specific vuls they remember or generic "things i worry about when writing a webapp", but if you want a reasonably reliable list of a majority of reported vulnerabilities found historically, then you wouldn't do much worse than to search the National Vulnerability Database
There are 582 vulnerabilities reported in Joomla or Joomla addons, 199 for Wordpress and 345 for Drupal for you to digest.
For generic understanding of common webapp vuls, the OWASP Top Ten project has recently been updated and is an essential read for any web developer.
我想到的四大问题:
获取自动分配的变量值。
(通常在不使用 DB API 层时发生)
Four big ones in my mind:
get variable values automatically assigned.
(usually happens when not using a DB API layer)
禁止来自其他域/IP 的 POST,因此机器人无法登录/提交表单。
Disallow POST from other domain/IP So Bots cant login/submit forms.
人,最大的安全漏洞,就是人的愚蠢。 信任、审查代码。你需要一个特殊的团队,它将审查在你的应用程序中作为额外代码添加的任何内容,cms 的问题是外包、传入、WordPress、Drupal、Joomla 和其他流行的 cms,就像默认安装一样,它们实际上处于非常糟糕的状态。好点安全。当你让人们在你的应用程序中添加额外的代码而没有经过良好的审查(或者更好的是,没有渗透测试)时,问题就来了。这就是 WordPress 和 Joomla 的弱点,有这么多的插件和主题开发者,有这么多的批准,数百个过时的插件和主题......所以恕我直言,如果你能够建立一个强大的团队,一个良好的安全计划,培训您的贡献者,并学习他们如何安全地编码,并且在我之前的所有其他评论中,您将能够继续并说:ei hi,这是我的 cms,它更安全一点比网上所有其他 cms ;)
People, the biggest security breech, is the human stupidity. Trust, review code. You need a special team, which will review anything that added as an extra code in your application, cms's problem are the outsource, the incomings, WordPress, Drupal, Joomla, and other popular cms, like default installations, they are really in a very good point secure. The problem is coming when you leave people to add extra code in your application, without a good review (or better, without penetration testing). This is the point where WordPress and Joomla have the weakness, there re so many plugin n theme devs, there are so many approvals,hundreds of outdated plugins n themes outhere.... So imho, if you are able to build a strong team, a good security plan, train your contributors, and learn them how to code secure, and with all the other comments before mine, then you will be able to move on and say :ei hi that's my cms, and it's a bit more secure than all the other cms on the net ;)
这对于论坛管理员来说尤其是一个潜在的陷阱,但对于任何使用下拉选择器编写表单但未验证发布的响应实际上是可用选项之一的人来说也是一个潜在的陷阱。
在大学里,我意识到 phpBB 中用户的“国家”选择器没有这样的验证。
在我们学校的论坛上,我的国家不是“美国”或“阿富汗”,而是任何东西,无论多么愚蠢或肮脏。我所需要的只是一个 html POST 表单。我的同学花了几天时间才弄清楚我是如何做到的,但很快,所有“酷孩子”的用户名下都显示了有趣的短语,而不是显示国家/地区。
去极客大学真是太棒了。 :D
Here's a potential pitfall for forum admins especially, but also anyone who codes up a form with a dropdown selector but doesn't validate that the posted response was actually one of the available options.
In college, I realized that the user's 'country' selector in phpBB had no such validation.
In our school forum, Instead of 'United States' or 'Afganistan', my country could be ANYTHING, no matter how silly, or filthy. All I needed was an html POST form. It took my classmates a few days to figure out how I had done it, but soon, all the 'cool kids' had funny phrases instead of countries displayed under their usernames.
Going to a geek college was awesome. :D