界: Input Validation and Representation

輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括:「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。

ColdFusion Bad Practices: Unauthorized Include

Abstract
允許未經驗證的使用者輸入來指定包含在頁面中的檔案路徑,可讓攻擊者在伺服器中注入惡意的程式碼或查看敏感的檔案。
Explanation
在以下情況會發生 Unauthorized Include 弱點:

1. 資料透過不可信賴的來源進入 Web 應用程式,通常是網頁要求。

2. 資料是字串的一部分,用來指定 template 標籤的 <cfinclude> 屬性。
範例: 以下程式碼使用來自網頁表單的輸入來建立特殊檔案的路徑,透過該路徑,可格式化使用者的網頁。程式設計師沒有考慮到攻擊者能夠提供類似「../../users/wileyh/malicious」的惡意檔案名稱的可能性,這會導致應用程式包含並執行位於攻擊者主目錄的檔案內容。


<cfinclude template =
"C:\\custom\\templates\\#Form.username#.cfm">


如果攻擊者可以指定 <cfinclude> 標籤所包含的檔案,他們就可能使應用程式在目前頁面上幾乎包含伺服器檔案系統中所有檔案的內容。這至少會對兩個方面產生重大的影響。如果攻擊者可以在伺服器檔案系統中的某個位置 (譬如使用者的主目錄或通用的上傳目錄) 進行寫入,則他們就可能使應用程式在頁面中包含惡意檔案,並由伺服器執行該檔案。即使沒有伺服器檔案系統的寫入權,攻擊者通常也可能透過指定伺服器上的檔案路徑,存取敏感或私人資訊。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 94
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code, SI-10 Information Input Validation
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[11] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[13] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[15] Standards Mapping - OWASP Top 10 2010 A1 Injection
[16] Standards Mapping - OWASP Top 10 2013 A1 Injection
[17] Standards Mapping - OWASP Top 10 2017 A1 Injection
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-003300 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.cfml.unauthorized_include