使用可变位置的 file_get_contents() 的安全漏洞 [英] Security vulnerabilities with file_get_contents() using variable location

问题描述

我的网站申请流程的一部分是用户必须证明网站的所有权.我很快就拼凑了一些代码，但直到现在才意识到它可能存在一些漏洞.

Part of my site's application process is that a user must prove ownership of a website. I quickly threw together some code but until now didn't realize that there could be some vulnerabilities with it.

像这样:

$generatedCode="9s8dfOJDFOIesdsa";
$url="http://anyDomainGivenByUser.com/verification.txt";

if(file_get_contents($url)==$generatedCode){
//verification complete!
}

使用用户提供的 file_get_contents() url 是否有任何威胁?

Is there any threat to having a user-provided url for file_get_contents()?

上面的代码只是一个例子.生成的代码显然更复杂一些，但仍然只是一个字符串.

The code above is just an example. The generatedCode is obviously a bit more elaborate but still just a string.

推荐答案

是的，这可能是一个 服务器端请求伪造漏洞 - 如果 $url 是动态的，你应该验证它是一个外部互联网地址并且scheme指定了HTTP或HTTPS协议.理想情况下，您应该只使用 HTTPS 协议，然后验证证书以防止任何 DNS 劫持 可能性.

Yes, this could possibly be a Server Side Request Forgery vulnerability - if $url is dynamic, you should validate that it is an external internet address and the scheme specifies the HTTP or HTTPS protocol. Ideally you'd use the HTTPS protocol only and then validate the certificate to guard against any DNS hijacking possibilities.

如果 $url 是用户可控的，他们可以替换内部 IP 地址并使用您的应用程序作为代理来探测防火墙后面的网络.例如，如果他们将 $url 中的主机设置为 192.168.123.1，您的脚本将请求 http://192.168.123.1/verification.txt 并且由于有效和无效内部地址之间的响应时间不同，他们可能能够确定另一台机器在托管环境中.这称为定时攻击.这可能是您不一定希望公开的服务器.当然，这不太可能单独攻击你的网络，但它是一种信息泄漏 并可能帮助攻击者枚举您的网络，为另一次攻击做好准备.

If $url is user controllable, they could substitute internal IP addresses and probe the network behind the firewall using your application as a proxy. For example, if they set the host in $url to 192.168.123.1, your script would request http://192.168.123.1/verification.txt and they might be able to ascertain that another machine is in the hosted environment due to differences in response times between valid and invalid internal addresses. This is known as a Timing Attack. This could be a server that you might not necessarily want exposed publicly. Of course, this is unlikely to attack your network in isolation, but it is a form of Information Leakage and might help an attacker enumerate your network ready for another attack.

您需要在每次请求时验证 URL 或解析的 DNS，否则攻击者可以将其设置为外部以通过验证，然后立即将其重新指向内部地址以开始探测.

You would need to validate that the URL or resolved DNS each time it was requested, otherwise an attacker could set this to external to pass the validation, and then immediately re-point it to an internal address in order to begin probing.

file_get_contents 本身似乎是安全的，因为它检索URL 并将其放入字符串中.只要您不在任何脚本引擎中处理字符串或使用 is 作为任何执行参数，您就应该是安全的.file_get_contents 也可用于检索本地文件，但如果您如上所述验证它是一个有效的面向 Internet 的 HTTP URL，则如果您决定向用户显示，此措施应防止读取本地文件verification.txt 在不匹配的情况下包含什么.此外，如果您要在站点的任何位置显示 verification.txt 的内容，您应该确保输出正确编码以防止 XSS.

file_get_contents in itself appears safe, as it retrieves the URL and places it into a string. As long as you're not processing the string in any script engine or using is as any execution parameter you should be safe. file_get_contents can also be used to retrieve a local file, but if you validate that it is a valid internet facing HTTP URL as described above, this measure should prevent reading of local files should you decide to show the user what verification.txt contained in case of mismatch. In addition, if you were to display the contents of verification.txt anywhere on your site, you should make sure the output is properly encoded to prevent XSS.

这篇关于使用可变位置的 file_get_contents() 的安全漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！