界: Environment
本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。
PHP Misconfiguration: allow_url_include Enabled
Abstract
包含遠端檔案所參照的指令可能會導致攻擊者在程式中插入惡意的內容。
Explanation
若啟用
allow_url_include 選項,會導致用於指定在目前頁面包含某個檔案的 PHP 函數 (例如include() 和 require()) 接受指向遠端檔案的 HTTP 或 FTP URL。該選是在 PHP 5.2.0 中增加的,且預設情況下為停用,因為它可能會讓攻擊者將惡意內容引入至應用程式中。最理想的情況是,攻擊者改變遠端檔案以引入惡意的內容,因此包含遠端檔案會使應用程式易受攻擊。最糟糕的情況是,攻擊者控制應用程序用來指定要包含的遠端檔案的 URL,則他們可以將 URL 提供至遠端伺服器,將任意的惡意內容插入至應用程式。References
[1] M. Achour et al. PHP Manual
[2] Standards Mapping - Common Weakness Enumeration CWE ID 94
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.php.php_misconfiguration_allow_url_include