界: Environment
本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。
PHP Misconfiguration: allow_url_fopen Enabled
Abstract
對遠端檔案進行操作可能會讓攻擊者在程式中插入惡意的內容。
Explanation
若啟用
範例 1:以下的程式碼會開啟一個檔案並讀取其內容,該檔案名稱由要求參數控制。因為
allow_url_fopen 選項,便可使用 HTTP 或 FTP URL 在遠端檔案上執行接受檔案名稱的 PHP 函數。該選項是在 PHP 4.0.4 中增加的,在預設情況下是開啟的,因為它可能會讓攻擊者將惡意內容引入至應用程式中。最理想的情況是,攻擊者改變遠端檔案以引入惡意的內容,因此對遠端檔案進行操作使得應用程式易受攻擊。最差的情況是,攻擊者控制執行應用程式的 URL,則他們可以將 URL 提供至遠端伺服器,將任意的惡意內容插入至應用程式。 範例 1:以下的程式碼會開啟一個檔案並讀取其內容,該檔案名稱由要求參數控制。因為
$file 的值由要求參數控制,所以攻擊者可違反程式設計師的假設,提供 URL 給遠端檔案。
<?php
$file = fopen ($_GET["file"], "r");
if (!$file) {
// handle errors
}
while (!feof ($file)) {
$line = fgets ($file, 1024);
// operate on file content
}
fclose($file);
?>
References
[1] M. Achour et al. PHP Manual
[2] Standards Mapping - Common Weakness Enumeration CWE ID 94
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.php.php_misconfiguration_allow_url_fopen