php 漏洞_十大PHP安全漏洞

php 漏洞

Security is not a list of things you do. Security is a way of thinking, a way of looking at things, a way of dealing with the world that says “I don’t know how they’ll do it, but I know they’re going to try to screw me” and then, rather than dissolving into an existential funk, being proactive to prevent the problem.

安全性不是您要做的事情的清单。安全是一种思考方式，一种看待事物的方式，一种与世界打交道的方式，上面写着“我不知道他们会怎么做，但我知道他们会试图欺骗我”然后，主动解决问题，而不是解决现有的问题。

But, you can’t buck statistics. Nobody is going to read an article entitled “Coding for Security.” Everyone wants an article with a number in it: “The 8 Most Common PHP Security Attacks and How to Avoid Them”, “23 Things Not to Say to a Super Model”, and “15 Reasons to Avoid Radiation Poisoning.” So, here goes, the “Top 10 PHP Security Vulnerabilities.”

但是，您无法反驳统计数据。没有人会阅读标题为“安全编码”的文章。每个人都想要一篇带有数字的文章：“ 8种最常见PHP安全攻击及其防范方法”，“对超级模型不屑一顾的23件事”和“避免辐射中毒的15个理由”。因此，这里有“十大PHP安全漏洞”。

SQL注入 (SQL Injection)

Number one on the hit list is the SQL injection attack. In this case, someone enters an SQL fragment (the classic example is a drop database statement, although there are many possibilities that don’t include deletions which could be just as destructive) as a value in your URL or web form. Never mind now how he knows what your table names are; that’s another problem entirely. You are dealing with an insidious and resourceful foe.

命中列表上排名第一的是SQL注入攻击。在这种情况下，有人输入一个URL或Web表单中的值SQL片段(经典示例是drop数据库语句，尽管有很多可能性不包括可能具有破坏性的删除操作)。现在不用管他怎么知道您的表名了。完全是另一个问题。您正在面对一个阴险而机智的敌人。

So, what can you do to avoid this? First and foremost you need to be suspicious of any input you accept from a user. Believe everyone is nice? Just look at your spouse’s family… they’re weird and freaky, some dangerously so.

那么，如何避免这种情况呢？首先，您需要对用户接受的任何输入保持怀疑。相信每个人都很好吗？看看配偶的家人，他们很奇怪又怪异，有些危险。

The way to prevent this sort of thing is to use PDO Prepared Statements. I don’t want to go through a full discussion of PDO now. Suffice to say prepared statements separate the data from the instructions. In doing so, it prevents data from being treated as anything other than data. For more info, you might want to check out the article Migrate from the MySQL Extension to PDO by Timothy Boronczyk.

防止这种情况的方法是使用PDO准备语句。我现在不想对PDO进行完整的讨论。可以说准备好的语句将数据与指令分开。这样做可以防止将数据视为除数据以外的任何其他数据。有关更多信息，您可能想看看Timothy Boronczyk的文章从MySQL扩展迁移到PDO 。

XSS(跨站点脚本) (XSS (Cross Site Scripting))

Curse the black hearts who thrive on this type of deception. Parents, talk to you children today lest they become evil XSS’ers!

诅咒在这种欺骗中壮成长的黑心。父母，今天就与您的孩子交谈，以免他们成为邪恶的XSS'ers！

The essence of any XSS attack is the injection of code (usually JavaScript code but it can be any client-side code) into the output of your PHP script. This attack is possible when you display input that was sent to you, such as you would do with a forum posting for example. The attacker may post JavaScript code in his message that does unspeakable things to your site. Please don’t make me go into detail; my heart weeps at what these brigands are capable of.

任何XSS攻击的本质都是将代码(通常是JavaScript代码，但可以是任何客户端代码)注入PHP脚本的输出中。当您显示发送给您的输入时，例如在论坛发布中，您可能会发生这种攻击。攻击者可能在其消息中发布了JavaScript代码，这些代码对您的网站造成了难以言喻的影响。请不要让我详细介绍；我的心为这些强盗的能力哭泣。

For more information and how to protect yourself, I suggest reading these fine articles on PHPMaster:

有关更多信息以及如何保护自己，我建议阅读PHPMaster上的这些精美文章：

Cross Scripting Attacks by George Fekette

George Fekette的跨脚本攻击
Input Validation Using Filter Functions by Toby Osbourn

使用 Toby Osbourn的过滤器功能进行输入验证

源代码启示 (Source Code Revelation)

This one has to do with people being able to see the names and content of files they shouldn’t in the event of a breakdown in Apache’s configuration. Yeah, I dig it, this is unlikely to happen, but it could and it’s fairly easy to protect yourselves, so why not?

这与人们能够看到在Apache配置发生故障时不应该看到的文件的名称和内容有关。是的，我发现了，这种情况不太可能发生，但是可以并且很容易保护自己，所以为什么不呢？

We all know that PHP is server side – you can’t just do a view source to see a script’s code. But if something happens to Apache and all of a sudden your scripts are served as plain text, people see source code they were never meant to see. Some of that code might list accessible configuration files or have sensitive information like database credentials.

我们都知道PHP是服务器端的-您不能仅仅通过查看源代码来查看脚本的代码。但是，如果Apache发生故障，并且您的脚本突然以纯文本形式提供，人们就会看到原本不希望看到的源代码。其中一些代码可能会列出可访问的配置文件或具有敏感信息，例如数据库凭据。

The solution centers around how you set up the directory structure for your application. That is, it isn’t so much a problem that bad people can see some code, it’s what code they can see if sensitive files are kept in a public directory. Keep important files out of the publicly-accessible directory to avoid the consequences of this blunder.

该解决方案围绕如何设置应用程序的目录结构展开。就是说，坏人可以看到一些代码不是什么问题，如果敏感文件保存在公共目录中，那就是他们可以看到的代码。将重要文件放在公共可访问目录之外，以免造成这种错误。

For more information on this, including a sample of what your directory structure might look like, see point 5 in this article. For additional discussion on this topic, see this forum discussion.

有关此的更多信息，包括目录结构的示例，请参阅本文的第5点。有关此主题的其他讨论，请参阅此论坛讨论。

远程文件包含 (Remote File Inclusion)

Hang on while I try to explain this: remote file inclusion is when remote files get included in your application. Pretty deep, eh? But why is this a problem? Because the remote file is untrusted. It could have been maliciously modified to contain code you don’t want running in your application.

继续，我尝试解释一下：远程文件包含是指将远程文件包含在应用程序中。很深吧？但是为什么这是一个问题呢？因为远程文件不受信任。它可能已经被恶意修改以包含您不想在应用程序中运行的代码。

Suppose you have a situation where your site at www.myplace.com includes the library www.goodpeople.com/script.php. One night, www.goodpeople.com is compromised and the contents of the file is replaced with evil code that will trash your application. Then someone visits your site, you pull in the updated code, and Bam! So how do you stop it?

假设您遇到的情况是，您在www.myplace.com上的站点包含库www.goodpeople.com/script.php。一天晚上，www.goodpeople.com受到威胁，文件内容被恶意代码替换，这将破坏您的应用程序。然后有人访问您的站点，您输入更新的代码，然后Bam！那么如何停止呢？

Fortunately, fixing this is relatively simple. All you have to do is go to your php.ini and check the settings on these flags.

幸运的是，解决此问题相对简单。您所要做的就是转到php.ini并检查这些标志上的设置。

allow_url_fopen – indicates whether external files can be included. The default is to set this to ‘on’ but you want to turn this off.

allow_url_fopen –指示是否可以包含外部文件。默认是将其设置为“ on”，但是您要关闭它。
allow_url_include – indicates whether the include(), require(), include_once(), and require_once() functions can reference remote files. The default sets this off, and setting allow_url_fopen off forces this off too.

allow_url_include –指示include() ， require() ， include_once()和require_once()函数是否可以引用远程文件。默认设置为关闭，设置allow_url_fopen off也会强制关闭。

会话劫持 (Session Hijacking)

Session hijacking is when a ne’er-do-well steals and use someone else’s session ID, which is something like a key to a safe deposit box. When a session is set up between a client and a web server, PHP will store the session ID in a cookie on the client side probably called PHPSESSID. Sending the ID with the page request gives you access to the session info persisted on the server (which populates the super global $_SESSION array).

会话劫持是指当有必要进行盗窃并使用他人的会话ID时，这类似于保险箱的钥匙。当在客户端和Web服务器之间建立会话时，PHP会将会话ID存储在客户端的cookie中，该cookie可能称为PHPSESSID。通过发送带有页面请求的ID，您可以访问持久保存在服务器上的会话信息(填充超级全局$_SESSION数组)。

If someone steals a session key, is that bad? And the answer is: if you aren’t doing anything important in that session then the answer is no. But if you are using that session to authenticate a user, then it would allow some vile person to sign on and get into things. This is particularly bad if the user is important and has a lot of authority.

如果有人窃取了会话密钥，那不好吗？答案是：如果您在该会话中没有做任何重要的事情，那么答案是否定的。但是，如果您使用该会话对用户进行身份验证，那么它将允许某些邪恶的人登录并介入其中。如果用户很重要并且具有很多权限，则这特别糟糕。

So how do people steal these session IDs and what can decent, God-fearing folk like us do about it?

那么人们如何窃取这些会话ID，像我们这样体面，敬畏上帝的人该如何做呢？

Session IDs are commonly stolen via a XSS attack, so preventing those is a good thing that yields double benefits. It’s also important to change the session ID as often as is practical. This reduces your theft window. From within PHP you can run the session_regenerate_id() function to change the session ID and notify the client.

会话ID通常是通过XSS攻击窃取的，因此防止这些ID是一件好事，会带来双重好处。实际更改会话ID也很重要。这样可以减少盗窃窗口。在PHP中，您可以运行session_regenerate_id()函数来更改会话ID并通知客户端。

For those using PHP5.2 and above (you are, aren’t you?), there is a php.ini setting that will prevent JavaScript from being given access to the session id (session.cookie.httponly). Or, you can use the function session_set_cookie_parms().

对于使用PHP5.2和更高版本的用户(您呢，不是吗？)，有一个php.ini设置可以防止授予JavaScript访问会话ID( session.cookie.httponly )的权限。或者，您可以使用函数session_set_cookie_parms() 。

Session IDs can also be vulnerable server-side if you’re using shared hosting services which store session information in globally accessible directories, like /tmp. You can block the problem simply by storing your session ID in a spot that only your scripts can access, either on disk or in a database.

如果您正在使用共享托管服务，这些会话ID可能会将会话信息存储在全局可访问的目录(例如/tmp ，那么它在服务器端也很容易受到攻击。您可以通过将会话ID存储在只有脚本可以访问的位置(磁盘或数据库中)来简单地阻止该问题。

跨站请求伪造 (Cross Site Request Forgery)

Cross Site Request Forgery (CSRF), also known as the Brett Maverick, or Shawn Spencer, Gambit, involves tricking a rather unwitting user into issuing a request that is, shall we say, not in his best interest. But rather than me going on and on about CSRF attacks, refer to an outstanding example of just what kind of content we have here on PHPMaster: Preventing Cross-Site Request Forgeries by Martin Psinas.

跨站点请求伪造(CSRF)，也称为甘比特(Brambi Maverick)或肖恩·斯潘塞(Shawn Spencer，Gambit)，涉及诱使相当不知情的用户发出的请求，应该说，不是最符合他的最大利益。但是，除了让我继续讨论CSRF攻击外，还请参考一个出色的示例，说明我们在PHPMaster上的内容类型：Martin Psinas 防止跨站点请求伪造。

目录遍历 (Directory Traversal)

This attack, like so many of the others, looks for for a site where the security is not all that it should be, and when if finds one, it causes files to be accessed that the owner did not plan to make publicly accessible. It’s also known as the ../ (dot, dot, slash) attack, the climbing attack, and the backtracking attack.

像其他许多攻击一样，这种攻击正在寻找一个安全性不强的站点，如果找到一个安全性，它将导致访问文件的所有者不打算公开访问该文件。也称为../(点，点，斜线)攻击，攀爬攻击和回溯攻击。

There are a few ways to protect against this attack. The first is to wish really, really hard that it won’t happen to you. Sometimes wishing on fairies and unicorns will help. Sometimes it doesn’t. The second is to define what pages can be returned for a given request using whitelisting. Another option is to convert file paths to absolute paths and make sure they’re referencing files in allowed directories.

有几种方法可以防止这种攻击。首先是要真的非常非常希望自己不会发生。有时候，希望仙女和独角兽会有所帮助。有时并非如此。第二个是使用白名单定义可以为给定请求返回哪些页面。另一种选择是将文件路径转换为绝对路径，并确保它们引用了允许目录中的文件。

摘要 (Summary)

Those are the top 10 issues that, if you aren’t careful to avoid, can allow your PHP application to be breached. Yep, 10. Count them… 1, 2, 3… What? You only counted 8? Okay, maybe 7. Well then that shows you just how easily you can be fooled, and I’m not even one of the bad guys!

如果您不小心避免这些问题，那么这是十大问题，它们可能会导致您PHP应用程序遭到破坏。是的，十。算一下……1、2、3……什么？你只算8个好吧，也许是7。好吧，那向您展示了你多么容易被骗，而且我什至不是坏人之一！

Image via Fotolia

图片来自Fotolia

翻译自: https://www.sitepoint.com/top-10-php-security-vulnerabilities/

php 漏洞