堆栈内存溢出
  简体   繁体   English

如何通过路径信息在 PHP 中传递 URL 来防止 SSRF?

[英]How can I prevent SSRF via pathinfo passing a URL in PHP?

 原文  2016-03-09 15:40:47       php/ csrf/ csrf-protection/ ssrf

问题描述

After scanning through our code using Acunetix for vunerabilities, we had an issue with the following script which said:使用 Acunetix 扫描我们的代码以查找漏洞后,我们遇到了以下脚本的问题,其中说:

"An HTTP request was initiated for the domain hit0yPI7kOCzl.bxss.me which indicates that this script is vulnerable to SSRF (Server Side Request Forgery)." “针对hit0yPI7kOCzl.bxss.me 域发起了一个 HTTP 请求,这表明该脚本容易受到 SSRF(服务器端请求伪造)的攻击。”

How can I prevent this?我怎样才能防止这种情况?

<?php
$filename = strip_tags($_GET['url']);

if (substr($filename,0,4) !== 'http') {
    die("Need a valid URL...");
}

$ext = pathinfo($filename, PATHINFO_EXTENSION);


switch ($ext) {
    case "gif":
        header('Content-Type: image/gif');
        readfile($filename);
        break;
    case "png":
        header('Content-Type: image/png');
        readfile($filename);
        break;
    case "jpg":
    default:
        header('Content-Type: image/jpeg');
        readfile($filename);
        break;
}
?>

1 个解决方案

解决方案1
 3  2016-03-14 13:22:49

Source if issue in your case is that with your server will try to fetch data from any passed url.来源,如果您的问题是您的服务器将尝试从任何传递的 url 中获取数据。 Given it has http://google.com inside url parameter, script will respond with actual google website contents.鉴于它在url参数中包含http://google.com ,脚本将以实际的 google 网站内容进行响应。

Why its bad?为什么它不好? That, for example, could be exploited to circumvent your firewall settings, access internal network of your server or pollute socket connections so your server will be unable to connect or be connected to and will become unresponsive.例如,这可能会被利用来绕过您的防火墙设置、访问您服务器的内部网络或污染套接字连接,因此您的服务器将无法连接或连接到并且将变得无响应。

First of all you should think if you really want to serve your static files with PHP.首先,您应该考虑是否真的想用 PHP 提供静态文件。 Most likely this responsibility could be delegated to web server.很可能这个责任可以委托给网络服务器。 Its even possible to "serve" static from 3rd party website with current webservers, so you should seriously consider getting rid of that code.甚至可以使用当前的网络服务器从 3rd 方网站“提供”静态信息,因此您应该认真考虑摆脱该代码。

If you 100% sure you want to use with PHP in that case, you should add restrictions to your code.如果在这种情况下您 100% 确定要与 PHP 一起使用,则应该对代码添加限制。

  1. add domain whitelist, so that will allow usage of trusted domain list only inside url variable;添加域白名单,这样将只允许在url变量中使用受信任的域列表;
  2. do not process files with unknown extensions.不处理扩展名未知的文件。

In that case code will look like this:在这种情况下,代码将如下所示:

<?php

$whitelist = [
    'some.whitelisted.com',
    'other.whitelisted.com'
];

$extensionMap = [
    'gif'  => 'image/gif',
    'png'  => 'image/png',
    'jpg'  => 'image/jpeg',
    'jpeg' => 'image/jpeg'
];

$filename = strip_tags($_GET['url']);

$host = parse_url($filename, PHP_URL_HOST);

if(empty($host) || !in_array($host, $whitelist)) {
    header('HTTP/1.1 404 Not Found');
    exit;
}

$ext = pathinfo($filename, PATHINFO_EXTENSION);

if(!isset($extensionMap[$ext])) {
    header('HTTP/1.1 404 Not Found');
    exit;
}

header(sprintf('Content-Type: %s', $extensionMap[$ext]));
readfile($filename);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在php中使用pathinfo? - How to use pathinfo in php? php似乎自动url解码...我怎么能阻止这个: - php seems to automatically url decode…How can I prevent this: 如何通过 PHP 检查 URL 是否存在? - How can I check if a URL exists via PHP? PHP-为什么可以通过$ _File数组获取pathinfo - PHP - why should I use pathinfo when I can get it through $_File array 如何通过HTTP Post将请求发送到php中的URL - How can I send requests via HTTP Post to URL in php PHP通过URL传递参数 - PHP passing parameters via URL 如何从PHP页面删除pathinfo错误? - how to remove pathinfo error from php page? php 通过 URL 传递参数: - php passing parms via the URL: PHP pathinfo被查询字符串中的url欺骗,任何解决方法? - PHP pathinfo gets fooled by url in query string, any workaround? 如何通过URL防止XSS? - How to prevent XSS via URL?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM