界: Environment
本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。
PHP Misconfiguration: register_globals Enabled
Abstract
若配置 PHP 為所有的 Environment、GET、POST、cookie 和 Server 變數進行註冊,會導致非預期的運作方式,開啟攻擊者可進入的大門。
Explanation
如果啟用
範例 1:以下程式碼易受 Cross-site scripting 的攻擊。程式設計師假設
register_globals 選項,會造成 PHP 對所有的 EGPCS (Environment、GET、POST、Cookie 和 Server) 變數進行全域註冊,使得任何使用者在任何 PHP 程式中都可存取這些變數。如果程式設計師在撰寫程式時啟用此選項,或多或少都會導致察覺不到它們所依賴的原始值,這會導致在正常的環境中產生非預期的運作方式,使程式容易遭受惡意環境中的攻擊者攻擊。由於知道 register_globals 所隱含的安全問題,在 PHP 4.2.0 中該選項的預設為關閉,且在 PHP 6 中捨棄且移除該選項。範例 1:以下程式碼易受 Cross-site scripting 的攻擊。程式設計師假設
$username 的值來自伺服器控制的階段作業,但是攻擊者可能會為 $username 提供惡意值來取代要求參數。如果啟用 register_globals,此程式碼會在其所產生的動態 HTML 內容中包含由攻擊者傳遞的惡意值。
<?php
if (isset($username)) {
echo "Hello <b>$username</b>";
} else {
echo "Hello <b>Guest</b><br />";
echo "Would you like to login?";
}
?>
References
[1] M. Achour et al. PHP Manual
[2] Artur Maj Securing PHP
[3] Standards Mapping - Common Weakness Enumeration CWE ID 473
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[6] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[7] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.php.php_misconfiguration_register_globals