这个脚本有多安全(强化)? [英] How secure (hardened) is this script?

问题描述

下面的脚本 test.php 旨在放置在我所有 wordpress 站点的特定目录中.它的目的是抓取下面$source地址的文件，解压到它所在的目录.这就是它的全部意图.

The script below, test.php, is intended to be placed in a specific directory of all my wordpress sites. Its purpose is to grab the file at the $source address below and extract it to the directory in which it resides. That's all its intended to do.

例如，我将在我的中央服务器上有一个仪表板界面，其中列出了我的所有存在此脚本的站点.然后，我将执行一个 cURL 例程，该例程迭代每个站点并对这个脚本执行调用，有效地一次将更新文件发送给所有站点.

For example, I will have a dashboard interface on my central server that lists all my sites in which this script is present. I will then execute a cURL routine that iterates over every site and performs a call on this script, effectively sending the update file to all of them at once.

电话是这样打的...

...processing site 1 update...
http://targetsite1.com/somedeepdirectory/test.php?query=updates.zip

...processing site 2 update...
http://targetsite2.com/somedeepdirectory/test.php?query=updates.zip

...etc until all my sites have been updated.

我的问题是 (1) 这个脚本的安全性(强化)是多少.以及 (2) 我应该进行哪些检查以确保更多...

My question is (1) how secure (hardened) is this script, as is. and (2) what checks should I put in place to make more so...

我认为至少我会限制 myquery 的字符数，并检查 myquery 中的有效负载是否存在恶意的、意外的文件类型?

I'm thinking that at a minimum I would restrict the character count for myquery as well as check the payload in myquery for malicious, unexpected filetypes?

<?php

//测试.PHP

$source = 'http://mycentralserver.com/protected/'.$_GET['myquery'];
$target = '.';

$out_file = fopen(basename($source), 'w');
$in_file = fopen($source, 'r');
while ($chunk = fgets($in_file)) {
    fputs($out_file, $chunk);
}
fclose($in_file);
fclose($out_file);

$zip = new ZipArchive();
$result = $zip->open(basename($source));
if ($result) {
    $zip->extractTo($target);
    $zip->close();
}

?>

推荐答案

这个脚本在当前状态下的安全性非常好.我确实有一些担忧.在没有条件的情况下，您必须不小心下载一个 .php 文件并将其存储在您的 Web 根目录中.这是该脚本可能发生的最糟糕的事情，因为它是一个远程代码执行漏洞.文件应下载到特定目录中，如果您担心其他人访问此文件，则应在该文件夹中的 .htaccess 中执行拒绝所有人".如果此脚本中有任何错误，您应该删除下载的文件.事实上，我建议尽快删除下载的文件.

The security of this script in its current state is pretty good. I do have a few concerns. Under NO CONDITION must you accidentally download a .php file and store it in your web root. This is the worst thing that could happen for this script as it would be a remote code execution vulnerability. Files should be downloaded into a specific directory, if you are concerned with other accessing this file you should do a "deny from all" in a .htaccess in that folder. If there are any errors in this script you should delete the downloaded file. In fact I recommend deleting the downloaded files asap.

我担心的是脚本应该优雅地出错.您应该检查以确保您获得了您要找的东西.即使文件不是 .php 文件，它也可以包含 php 代码 <?php ?> 然后可以包含()，这将变成本地文件包含(LFI)漏洞进入完全成熟的远程代码执行.

My concern is that the script should error gracefully. You should check to make sure that you have obtained what you are looking for. Even if the file isn't a .php file it can contain php code <?php ?> which then could be include()'ed which would turn a Local File Include (LFI) vulnerability into full blown remote code execution.

在安全的 php 配置中，allow_url_fopen 应该关闭，PhpInfoSec 同意我的看法.这意味着 fopen() 不能用于 HTTP.allow_url_fopen 默认启用，我在所有生产系统上禁用它.原因是因为我个人在 Coppermine Photo gallery 中编写了一个远程代码执行漏洞，利用了这种不安全的默认设置.CURL 应该始终用于 PHP 中的 HTTP，它更安全、更稳定.

In a secure php configuration allow_url_fopen should be OFF and PhpInfoSec agrees with me. This means that fopen() cannot be used for HTTP. allow_url_fopen is enabled by default and I disable it on all production systems. The reason why is because I have personally written a remote code execution exploit in Coppermine Photo gallery that took advantage of this insecure default. CURL should ALWAYS be used for HTTP in PHP, it is more secure and more stable.

这篇关于这个脚本有多安全(强化)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！