十大PHP安全漏洞 [英] Top Ten PHP Security Hole
问题描述
使用PHP构建网站很容易。建立安全的网站 - 用任何
语言 - 很难。最终结果是许多PHP站点存在安全问题。我想b $ b因此将一个前十名的错误清单放在一起是个好主意,这样可以让初学者有一些具体的东西来检查它们。
反对,而不是模糊的建议,如使用会话变量
更安全。
这是'我的提名:
*将上传的文件复制到可通过网络访问的文件夹中,而不检查其
扩展名
此错误允许有人将.php文件上传到您的网站上并获得完全控制权。
Building web sites with PHP is easy. Building secured web sites--in any
language--is hard. The end result is many PHP sites with security issues. I
thought therefore it would be a good idea to put together a top ten list of
mistakes to avoid, so that beginners have something concrete to check their
work against, instead of fuzzy recommendations like "using session variables
is more secured."
Here''s my nomination:
* Copying an uploaded file into a web-accessible folder without checking its
extension
This mistake allows someone to upload a .php file onto your website and gain
complete control.
推荐答案
Chung Leong < CH *********** @ hotmail.com>在消息中写道
新闻:Hu ******************** @ comcast.com ...
"Chung Leong" <ch***********@hotmail.com> wrote in message
news:Hu********************@comcast.com...
Building使用PHP的网站很容易。用任何
语言建立安全的网站很难。最终结果是许多PHP站点存在安全问题。因此我认为最好将十大错误清单放在一起以避免,以便初学者有一些具体的东西来检查他们的工作,而不是模糊的建议,如使用会话变量
更加安全。
这是我的提名:
*将上传的文件复制到无网页的文件夹中检查它的
扩展名
你的意思是设置它的权限,还是有一个安全问题由
提供PHP文件(例如,那些包含在常规PHP文件中)
扩展名而不是.PHP?
此错误允许某人上传.php文件进入你的网站并获得完全控制权。
Building web sites with PHP is easy. Building secured web sites--in any
language--is hard. The end result is many PHP sites with security issues. I
thought therefore it would be a good idea to put together a top ten list of
mistakes to avoid, so that beginners have something concrete to check their
work against, instead of fuzzy recommendations like "using session variables
is more secured."
Here''s my nomination:
* Copying an uploaded file into a web-accessible folder without checking its
extension
Do you mean setting its permissions, or is there a security issue raised by
giving PHP files (e.g., ones that are included in a "regular" PHP file)
extensions other than ".PHP"?
This mistake allows someone to upload a .php file onto your website and gain
complete control.
在辅助目录中包含一个空白的index.htm文件是个好主意。
它可能会强迫网站的主页加载
,比如
&l t; body onload =" javascript :window.top.location =''my-website.com';">
Jim
www.cross-comp.com
www.cross-comp.com/pages/software
用于软件商品。
It''s a good idea to include a blank index.htm file in auxiliary directories.
It might force a load of the Web site''s home page with something
like
<body onload="javascript:window.top.location=''my-website.com'';">
Jim
www.cross-comp.com
www.cross-comp.com/pages/software
for software goodies.
ch *********** @ hotmail.com 说...
使用PHP构建网站很容易。用任何
语言建立安全的网站很难。最终结果是许多PHP站点存在安全问题。因此我认为最好将十大错误清单放在一起以避免,以便初学者有一些具体的东西来检查他们的工作,而不是模糊的建议,如使用会话变量
更加安全。
这是我的提名:
*将上传的文件复制到无网页的文件夹中检查其延伸
这个错误允许有人将.php文件上传到您的网站上并获得完全控制。
Building web sites with PHP is easy. Building secured web sites--in any
language--is hard. The end result is many PHP sites with security issues. I
thought therefore it would be a good idea to put together a top ten list of
mistakes to avoid, so that beginners have something concrete to check their
work against, instead of fuzzy recommendations like "using session variables
is more secured."
Here''s my nomination:
* Copying an uploaded file into a web-accessible folder without checking its
extension
This mistake allows someone to upload a .php file onto your website and gain
complete control.
建议它应该只读:
*将上传的文件复制到可通过网络访问的文件夹中
我现在总是把上传的文件在web服务器doc root之外,并使用
a函数来安全地传递 (如果需要,请阅读,不执行/解析)回到
浏览器。
Geoff M
Suggest it should just read:
* Copying an uploaded file into a web-accessible folder
I now always put uploaded files outside the web server doc root, and use
a function to safely "deliver" (read, not execute/parse) them back to a
browser if required.
Geoff M
JimC写道:
JimC wrote:
" Chung Leong" < CH *********** @ hotmail.com>在消息中写道
新闻:Hu ******************** @ comcast.com ...
"Chung Leong" <ch***********@hotmail.com> wrote in message
news:Hu********************@comcast.com...
建筑使用PHP的网站很容易。用任何
语言建立安全的网站很难。最终结果是许多PHP站点存在安全问题。因此我认为最好将十大错误清单放在一起以避免,以便初学者有一些具体的东西来检查他们的工作,而不是模糊的建议,如使用会话变量
更加安全。
这是我的提名:
*将上传的文件复制到无网页的文件夹中检查它的扩展名
Building web sites with PHP is easy. Building secured web sites--in any
language--is hard. The end result is many PHP sites with security issues. I
thought therefore it would be a good idea to put together a top ten list of
mistakes to avoid, so that beginners have something concrete to check their
work against, instead of fuzzy recommendations like "using session variables
is more secured."
Here''s my nomination:
* Copying an uploaded file into a web-accessible folder without checking its
extension
你的意思是设置它的权限,或者是否存在由
提供PHP文件引起的安全问题(例如,包含在文件中的文件) 常规PHP文件)
除.PHP之外的扩展名?
Do you mean setting its permissions, or is there a security issue raised by
giving PHP files (e.g., ones that are included in a "regular" PHP file)
extensions other than ".PHP"?
此错误允许某人将.php文件上传到您的网站并获得
完全控制。
This mistake allows someone to upload a .php file onto your website and gain
complete control.
在辅助目录中包含一个空白的index.htm文件是个好主意。
它可能会强制加载网站的带有东西的主页
好像
< body onload =" javascript :window.top.location =''my-website.com'';">
Jim
< a rel =nofollowhref =http://www.cross-comp.comtarget =_ blank> www.cross-comp.com
www.cross-comp.com/pages/software
用于软件商品。
It''s a good idea to include a blank index.htm file in auxiliary directories.
It might force a load of the Web site''s home page with something
like
<body onload="javascript:window.top.location=''my-website.com'';">
Jim
www.cross-comp.com
www.cross-comp.com/pages/software
for software goodies.
也许最好有一个index.php文件,其中包含重定向
标头。有点像:
<?php
header(" Location:http://www.my-website.com/");
?>
这样,如果客户端的浏览器禁用了javascript,它会重定向。
- Dan
http://blog.dantripp.com/
这篇关于十大PHP安全漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
