界: Input Validation and Representation
输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括:“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。
ColdFusion Bad Practices: Unauthorized Include
Abstract
如果使用未验证的用户输入来指定页面中包含的文件路径,会使攻击者能够在服务器中注入恶意代码或查看敏感文件。
Explanation
在以下情况中会发生 Unauthorized Include 漏洞:
1. 数据从一个不可信赖的数据源(最常见的是一个 Web 请求)进入 Web 应用程序。
2. 数据是字符串的一部分,该字符串指明了
示例:以下代码利用来自 Web 表单的输入构造了一条路径,通过这条路径可以找到用来设定用户主页格式的特殊文件。由此可以看出,程序员没有考虑到攻击者可能会提供恶意文件名,如 "
如果攻击者可以指定
1. 数据从一个不可信赖的数据源(最常见的是一个 Web 请求)进入 Web 应用程序。
2. 数据是字符串的一部分,该字符串指明了
<cfinclude>
标签的 template
属性。 示例:以下代码利用来自 Web 表单的输入构造了一条路径,通过这条路径可以找到用来设定用户主页格式的特殊文件。由此可以看出,程序员没有考虑到攻击者可能会提供恶意文件名,如 "
../../users/wileyh/malicious
",从而导致该应用程序执行攻击者主目录下文件的恶意内容。
<cfinclude template =
"C:\\custom\\templates\\#Form.username#.cfm">
如果攻击者可以指定
<cfinclude>
标签所包含的文件,即表示他们能使应用程序在当前页上包含服务器文件系统中几乎所有文件的内容。这至少会对两个方面产生重大影响。如果攻击者可以在服务器的文件系统上某个位置(如用户的主目录或一个通用的上传目录)进行写入,即表示他们能使应用程序在页面中包含一个恶意文件,并将由服务器执行该文件。即使不具备服务器文件系统的写权限,攻击者通常也能通过指定服务器上某个文件的路径,访问敏感或私人信息。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 94
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code, SI-10 Information Input Validation
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[11] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[13] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[15] Standards Mapping - OWASP Top 10 2010 A1 Injection
[16] Standards Mapping - OWASP Top 10 2013 A1 Injection
[17] Standards Mapping - OWASP Top 10 2017 A1 Injection
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-003300 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.cfml.unauthorized_include