简体繁体 English

如何在PHP中防止日志注入攻击？

[英]How to protect against Log Injection attacks in PHP?

原文 2019-03-10 19:47:40 1 3 php/ security/ logging

What is the best way to protect against Log Injection attacks in PHP ? 什么是防止PHP中的日志注入攻击的最佳方法？ Of course, we should sanitize input, but the question is how, and what has to be sanitized ? 当然，我们应该对输入进行消毒，但问题是如何以及需要消毒的是什么？

For example, if I am logging something that can come from the user, first step would be to make sure that what he enters, do not cause some problems in the OS, or strange behaviours of the application. 例如，如果我正在记录可能来自用户的内容，则第一步是确保他输入的内容，不会导致操作系统中的某些问题或应用程序的奇怪行为。 Then, if we display log entries somewhere in the application, we need to make sure that XSS and similar attacks are not possible. 然后，如果我们在应用程序的某处显示日志条目，我们需要确保XSS和类似的攻击是不可能的。

I am looking at PHP sanitize filters as a possible solution, but I do not really know what should I filter out. 我正在考虑PHP清理过滤器作为一种可能的解决方案，但我真的不知道应该过滤掉什么。 What characters can be dangerous ? 哪些角色可能有危险？

3 个解决方案

This is my opinion on the matter, I like keeping my logs as unfiltered as possible, I never filter the input except for new lines to make sure there's one line per log entry. 这是我对此事的看法，我喜欢尽可能保持我的日志未经过滤，我从不过滤除新行之外的输入，以确保每个日志条目有一行。

You need to make sure of the following: 您需要确保以下内容：

Never use include , require or eval to display your log file contents; 切勿使用include ， require或eval来显示日志文件内容; read the file(s) using fopen or file & print out the contents. 使用fopen或file读取file并打印出内容。
filter the output before displaying it, something like htmlentites that changes quotes & html open/closing tags would be good. 在显示输出之前过滤输出，例如更改引号和html打开/关闭标记的htmlentites会很好。
if you can display the output in a text area, the browser will display the data without executing the scripts if there's any xss or otherwise malicious code present. 如果您可以在文本区域中显示输出，如果存在任何xss或其他恶意代码，浏览器将显示数据而不执行脚本。
make sure you store your log file in a folder that's not publicly/web accessible & remove the execute permissions for user/group and all permissions for 'others'. 确保将日志文件存储在不可公开/可访问Web的文件夹中，并删除用户/组的执行权限以及“其他”的所有权限。
Final suggestion: try to hack your logs to make sure you covered all bases and while you are at it use a fuzzer to test for automated attacks. 最后的建议：尝试破解你的日志以确保你覆盖了所有的基础，当你在它的时候使用模糊测试来测试自动攻击。

While storing or displaying user input always insure to filter HTML tags like <script> which may execute external javascript code on your site may lead to session/cookie stealing. 虽然存储或显示用户输入始终确保过滤HTML标记，如<script> ，可能会在您的网站上执行外部JavaScript代码，但可能导致会话/ cookie窃取。

Also filter tags like <style> which might not cause any harm but can disturb your website layout. 还可以过滤像<style>这样的标签，这些标签可能不会造成任何伤害但会干扰您的网站布局。

Use regular expressions to validate input where there is no inbuilt functions for validation. 使用正则表达式验证没有内置函数进行验证的输入。

The log file alone is not the problem. 仅日志文件不是问题。 Just having a file, and be it a binary with a virus in it, is not dangerous at all as long as it is not executed! 只要它没有被执行，只要有一个文件，并且它是一个带有病毒的二进制文件，就没有危险了！ The same is true for log files: As long as its contents does not trigger any code and misuse it in a way, it is no problem. 对于日志文件也是如此：只要其内容不触发任何代码并以某种方式滥用它，就没有问题。

As @ahmad already mentioned it becomes a problem if you use something like eval to display your log file, because that can very well execute code and some dollar sign may allow an attacker to do much more than cross site scripting alone. 正如@ahmad已经提到的那样，如果你使用像eval这样的东西来显示你的日志文件会成为一个问题，因为这可以很好地执行代码，并且一些美元符号可能允许攻击者比单独跨站点脚本做更多的事情。

But is fopen necessarily any better? 但是fopen必然会更好吗？ No! 没有！ Because examples from the past have impressively shown it. 因为过去的例子令人印象深刻。 One may think that cat is a safe way to display text on the console, but even that turned out to be wrong and if even the simplest tool to print some text out is broken, you should not trust in anything, right? 有人可能会认为cat是一种在控制台上显示文本的安全方式，但即使这样做也是错误的，即使打印出一些文本的最简单的工具也被打破了，你也不应该相信任何东西，对吧？

In most cases it is not your software alone, which makes something dangerous. 在大多数情况下，它不是单独的软件，这会使某些事情变得危险。 It is often the combination with other software, which may be out of your control. 它通常与其他软件结合使用，可能无法控制。 Consider for example, that you are not able to inspect every line of code in your newest system updates for potential side effects with your software. 例如，考虑到您无法检查最新系统更新中的每行代码，以发现软件的潜在副作用。

Or let us assume, that you do not have your own server, but you are customer of a web service provider, who takes care for the system configuration as well. 或者让我们假设您没有自己的服务器，但您是Web服务提供商的客户，他也负责系统配置。 Let us further assume, that this service provider cares for security and has some kind of intrusion detection installed, like for example fail2ban. 让我们进一步假设，该服务提供商关心安全性并安装了某种入侵检测，例如fail2ban。 This may all work really well until you introduce your program into the service providers environment (the other way round) and potentially allows an attacker to break fail2ban with something very regex unfriendly to occupy the system as part of a denial of service attack (just guessing here, but the point gets clear, I hope). 在你将程序引入服务提供者环境（反之亦然）之前，这一切都可能正常工作，并且可能允许攻击者破坏fail2ban，使用非正规的正则表达式来占用系统作为拒绝服务攻击的一部分（只是猜测）在这里，但我希望这一点得到明确。