以下是简介阶层日益严重PHP的应用性.可以让执行任意法或任意功能或阅读/书写的机会 国内任意变量.看来只有极少数研究人员正在寻找 这些问题包括StefanEsser,Retrogod,Gulftech.不过,这可能是目前许多严重问题 应用,特别是大型或复杂的问题.此外,这些研究人员可以引发性错误,但品牌他们充分发挥XSS如果不诊断.看到这种独特性并非PHP.其他可以理解的语言有类似的问题.
例如,Perl, 参展,有Xeval功能. 最近MySpaceXSS 注射用eval问题Java[1],已注射eval一些平日申请报(CVE-2005-2483、CVE-2005-3302),Perl(CVE-2002-1750,CVE-2003-0770,CVE-2005-1527、CVE-2005-2837).
------------------------------------------------------
Dynamic Evaluation Vulnerabilities in PHP applications
------------------------------------------------------
以下是简介阶层日益严重PHP的应用性.可以让执行任意法或任意功能或阅读/书写的机会 国内任意变量. 看来只有极少数研究人员正在寻找这些问题包括StefanEsser,Retrogod,Gulftech.不过,这可能是目前许多严重问题应用,特别是大型或复杂的问题.此外,这些研究人员可以引发性错误,但品牌他们充分发挥XSS如果不诊断.看到这种独特性并非PHP. 其他可以理解的语言有类似的问题.
例如,Perl,参展,有Xeval功能. 最近MySpaceXSS注射用eval问题Java[1],已注射eval一些平日申请报(CVE-2005-2483、CVE-2005-3302),Perl(CVE-2002-1750,CVE-2003-0770,CVE-2005-1527、CVE-2005-2837).
--------------
Eval Injection
--------------
术语笔记: 这个期限不是共同, 但它被使用在CVE。这文字,没有常用的选择。
一个eval射入弱点发生当攻击者可能控制被灌输eval()作用输入串的全部或部份电话。Eval将执行论据作为代码。安全涵义为这是显然的。这个问题知道为几年[ 2 ], 但它仍然在之下被研究。
Example:
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
What happens if arg is set to "10 ; system(\"/bin/echo uh-oh\");" ?
Basic detection:
以原始代码: 因为这是一个标准PHP 作用,这容易对grep潜在地危险打电话对eval()。但是,研究员必须进一步调查是否输入可能是由攻击者控制。
- 没有原始代码: 如果絮絮叨叨错误是可利用的,一无效输入也许触发错误信息与分析错误有关。使用"phpinfo" 输入也许是有用的。但是,您可能必须演奏以输入匹配语法要求声明最后被灌输eval,象您有时需要做在XSS或SQL射入。
消灭问题:
- 避免eval()每当可能
- 使用唯一可接受的价值whitelists插入入eval()电话。whitelist也许需要改变根据的地方节目您是。
---------------------------
Dynamic Variable Evaluation
---------------------------
术语笔记: 没有共同的期限为这问题。
PHP 支持"易变的可变物,"是可变物或表示那评估对其它可变物[ 3 的] 名字。他们可能被使用动态地改变在期间可变物被获取或被设置节目的施行。这个强有力和方便特点是还危险。
如果易变的名字不是受控的,攻击者能读或给任意可变物写,根据应用。 后果取决于节目。在某些情况下,均匀重要可变物譬如$_globals可能被修改[ 4 ]。
Example:
$varname = "myvar";
$$varname = 10;
echo $myvar;
This will set $myvar, and print the string "10"!
It seems likely that this issue will occur more frequently as PHP
developers modify their programs so that they do not require
register_globals.
A number of applications have code such as the following:
$safevar = "0";
$param1 = "";
$param2 = "";
$param3 = "";
# my own "register globals" for param[1,2,3]
foreach ($_GET as $key => $value) {
$$key = $value;
}
If the attacker provides "safevar=bad" in the query string, then
$safevar will be set to the value "bad".
Detection Examples:
$$varname
${$varname}
${$var . $name}
${arbitrary expression}
Eliminating the problem:
- use only whitelists of acceptable variable names. The whitelist
might need to change depending on where in the program you are.
---------------------------
Dynamic Function Evaluation
---------------------------
Terminology note: there is no common term for this kind of issue.
Variable variables can also be used to dynamically reference
functions:
$funcname = "myfunction";
$$funcname("Arg1", "Arg2");
This effectively calls myfunction("Arg1", "Arg2") !
Detection Examples:
$$fname();
${$var1 . $var2} ("arg");
${"varname"} ();
Eliminating the problem:
- use only whitelists of acceptable function names. The whitelist
might need to change depending on where in the program you are.
----------
References
----------
[1] Myspace.com - Intricate Script Injection
Justin Lavoie
http://marc.theaimsgroup.com/?l=bugtraq&m=114469411219299&w=2
[2] A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications
Shaun Clowes
http://www.securereality.com.au/studyinscarlet.txt
This classic paper briefly mentioned the risk of eval
[3] PHP: Variable variables
http://us3.php.net/manual/en/language.variables.variable.php
[4] $GLOBALS Overwrite and it's Consequences
Stefan Esser
http://www.hardened-php.net/globals-problem
This paper talks specifically about dynamic variable evaluation
and the impact on superglobals such as $_GLOBALS. Esser was one
of the first (if not the first) researchers to use the term "eval
injection".
-------------------------
Sample Vulnerable Program
-------------------------
Dynamic Evaluation Vulnerabilities in PHP Applications - Examples
// error_reporting(8);
// ini_set('display_errors', 1);
// ini_set('display_startup_errors', 1);
function do_this () { echo "Do this!
"; }
$test = $_GET['test'];
if ($test == 1)
{
echo "=== Implicit variable evaluation in \$myvar ===
\n";
echo "Parameter varname = " . $_GET['varname'] . "
\n";
$myvar = "unchangeable value";
echo "before: \$myvar = \"" . $myvar . "\"
\n";
$varname = $_GET['varname'];
echo "EXECUTE: \$\$varname = \"new value\";
\n";
$$varname = "new value";
echo "after: \$myvar = \"" . $myvar . "\"
\n";
}
elseif ($test == 2)
{
echo "=== Implicit function evaluation in \$myfunc ===
\n";
$myfunc = $_GET['myfunc'];
echo "EXECUTE: \$myfunc();
\n";
${"myfunc"}();
$myfunc();
}
elseif ($test == 3)
{
echo "=== Eval Injection in \$ev ===
\n";
$ev = $_GET['ev'];
echo "EXECUTE: eval(\$ev);
\n";
echo "actual statement will be: eval($ev)
\n";
eval($ev);
}
?>
|
