界: Input Validation and Representation
输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括:“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。
Possible Variable Overwrite: Functional Scope
Abstract
此程序会调用可覆盖当前作用域中变量的函数,这可能会为攻击者打开方便之门。
Explanation
对于可覆盖当前作用域中已初始化的变量的函数,攻击者能够通过它影响依赖被覆盖变量的代码的执行情况。
示例 1:如果攻击者为下面这段 PHP 代码中的
示例 1:如果攻击者为下面这段 PHP 代码中的
str 提供恶意值,则对 parse_str() 的调用可能会覆盖当前作用域中的所有任意变量,包括 first。在这种情况下,如果包含 JavaScript 的恶意值覆盖 first,则该程序会很容易受到 cross-site scripting 攻击。
<?php
$first="User";
...
$str = $_SERVER['QUERY_STRING'];
parse_str($str);
echo $first;
?>
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 473
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[15] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II
desc.dataflow.php.possible_variable_overwrite_current_scope