安全性-HTML注入的所有可能原因
[英]Security - All Possible Causes for HTML Injection
问题描述
Someone somehow managed to place an iframe to a pay per view site on my homepage. 
有人设法将iframe放置到我首页上的按观看次数付费的网站上。 In my mind, this could only happen through FTP or SSH so I want to place an IP lock on all of the accounts. 在我看来,这只能通过FTP或SSH发生,因此我想在所有帐户上设置IP锁定。
However, I contacted my host and they said typically it's a coding vulnerability not an FTP hack. 但是,我联系了我的主机,他们说这通常是一个编码漏洞,而不是FTP黑客。
What are the possible causes for someone to inject HTML into my index.php file? 有人将HTML注入我的index.php文件的可能原因是什么?
Edit: File uploading is a part of my site. 编辑:文件上传是我的网站的一部分。 Could they have done some sort of buffer attack and made my site interpret a file as PHP commands? 他们能做一些缓冲攻击并使我的网站将文件解释为PHP命令吗?
1 个解决方案
解决方案1
0 已采纳 2013-07-13 12:38:58
This is not “HTML injection” as that term is normally used. 这不是通常使用的“ HTML注入”。 That normally refers to vulnerabilities where a web application writes user input in an HTML template without escaping characters like < to < 这通常是指漏洞,其中Web应用程序将用户输入写入HTML模板,而不会转义<至<等字符< . 。 (In PHP, this is a common problem caused by forgetting to call htmlspecialchars() in the output template, and the language not doing it automatically for you.) (在PHP中,这是一个常见问题,是由于忘记在输出模板中调用htmlspecialchars()而导致的,而该语言并未为您自动执行此操作。)
However if someone has changed the contents of an existing .php file on the server you have a much worse compromise than a simple HTML injection XSS. 但是,如果有人更改了服务器上现有.php文件的内容,则与简单的HTML注入XSS相比,您遭受的危害要大得多。 To be able to write to the file, the attacker must have either gained access to your administative account, or exploited a file-write vulnerability in the web app and the app is running as a user that has write access to its own .php files. 为了能够写入文件,攻击者必须具有访问您的管理帐户的权限,或者利用了Web应用程序中的文件写入漏洞, 并且该应用程序以对自己的.php文件具有写访问权的用户身份运行。 (Usually you should run a web app as a low-privilege user with no permission to write to app files. But in some sad shared hosting scenarios, one user may be all you get for everything.) (通常,您应以低特权用户身份运行Web应用程序,而无需写应用程序文件的权限。但是在某些可悲的共享托管方案中,一个人可能就是您所需要的一切。)
Regardless of what your host said, the number one cause of this kind of compromise today is, by far, FTP credential loss. 无论您的主机说什么,今天造成这种妥协的首要原因是FTP凭证丢失。 The usual pattern is that a machine that is used to access the FTP server has been infected with password-stealing malware, typically as a result of visiting an infected page on another web site (which itself is often hacked). 通常的模式是,用于访问FTP服务器的计算机已感染了窃取密码的恶意软件,通常是由于访问了另一个网站上的受感染页面(该网站本身经常被黑客入侵)。
So definitely virus checkers on all machines that have access the FTP server; 因此,绝对可以在所有访问FTP服务器的计算机上使用病毒检查程序; use multiple AVs, and do an OS reinstall on any infected machines you find, as AVs are bad at detection and worse at removal. 使用多个AV,然后在发现的任何受感染计算机上重新安装操作系统,因为AV不好检测,而删除更糟。 Then change the password of the account and stop using unencrypted FTP for god's sake it's 2013. If your host refuse to provide SFTP access then this along with the poor advice above would be good reason to dump them. 然后更改该帐户的密码,为了安全起见,请在2013年停止使用未加密的FTP。如果您的主机拒绝提供SFTP访问,则此操作以及上面的错误建议将是丢弃它们的充分理由。
File uploading is a part of my site.
It's conceivable; 可以想象; file upload is a very difficult function to get right in general. 通常,文件上传是一项非常困难的功能。 If the web site is running as a user that has write access to any location from which your web server will run .php files, then any file-write vuln escalates to an execute-abitrary-code vuln. 如果该网站以对任何位置都具有写访问权的用户身份运行,则您的Web服务器将在该位置运行.php文件,则任何文件写入漏洞都将升级为执行权限代码漏洞。 So audit what bits of the filesystem have write access for the web server user, and lock it down as much as possible, in addition to performing strong whitelist validation on any variables used for filenames in your app. 因此,除了对应用程序中用于文件名的任何变量执行严格的白名单验证之外,还要审核文件系统的哪些位对Web服务器用户具有写访问权,并尽可能地将其锁定。 (Best: never use any client-supplied data to form a filename.) (最佳:永远不要使用任何客户端提供的数据来形成文件名。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.