Most of the Web
Security issues are one of the three types below:
1. The server provides the public with a service that should not be provided.
2. The server puts the data privately available in the publicly accessed area.
3. The server trusts data from untrusted data sources.
Obviously, many server administrators have never taken a look at their servers from another perspective, such as using port scanners. If they have done this, they will not run so much service on their own systems, and these services have not been run on the machine that officially provides Web services, or these services have not been opened for public.
It is often accompanied by such errors that some unsafe, can be used to steal information in order to carry out maintenance. For example, some web servers are often providing POP3 services to collect orders, or provides FTP services or even database services to upload new page content. In some places, these protocols may provide secure authentication (such as apop) or even secure transmission (such as a SSL version of POP or FTP), but more, people use non-secure versions of these protocols. Some agreements, such as MSQL database services, almost no verification mechanism.
Access your own network from the company, completely detect, simulate what you will have something, which is a good suggestion for Web managers. Some services have been launched in the default configuration after the machine installation, or some services can be launched due to installation and initial settings, which may not be closed properly. For example, some systems provide a Web server to provide programming demonstrations and system manuals on non-standard ports, which often contain errors and become a security risks. Officially run, the web server that can be accessed from the Internet should not run these services, be sure to close these services.
9.1 Web Server Common
Vulnerability introduction
Our purpose is to introduce you to the common vulnerabilities of the web server. I believe I can try to find some of the WEB server vulnerabilities. But need to remember, don't look for a loophole for a vulnerability. In addition, even if you find a vulnerability, is it possible to use or another?
The main vulnerabilities exist of the web server include physical path leaks, CGI source code leaks, directory traversal, execution arbitrary commands, buffers overflow, denial, condition competition, and cross-station script execution vulnerabilities, and CGI vulnerabilities are somewhat similar, but more The place is still different. However, no matter what vulnerability, it reflects that safety is a whole truth, considering the security of the web server, the operating system that cooperates with it must be considered.
9.1.1 Leakage of Physical Path
Physical path leaks are generally due to the WEB server processing user request error, such as by submitting a long request, or a certain-well-constructed special request, or a file that does not exist on a web server. These requests have a common feature, that is, the requested file is definitely a CGI script, not a static HTML page.
There is also a situation that is the physical path of the Web server's output of the web server, which should be a design problem.
9.1.2 Directory Traverse
Directory traverses is not much more common for web servers, and "../" is attached to any directory, or in additional "../" deformation, Such as "../" or "..//" or even its encoding, it can cause the directory traversal. The previous situation is not very common, but the following cases are often more common. It is often seen as a deformable encoding in the very popular IIS secondary decoding vulnerability and Unicode decoding vulnerability last year.
9.1.3 Executing any command
Execute an arbitrary command to perform any operating system command, mainly including two cases. The first is to perform system commands by traversing the directory, as the second decoding vulnerability mentioned earlier and Unicode decoding vulnerability. The other is that the web server submits the request as an SSI command, thus causing an arbitrary command. 9.1.4 Buffer overflow
Buffer overflow vulnerabilities must be familiar to everyone, nothing more than the Web server does not have a proper processing of the ultra-long requests submitted by the user, which may include long URLs, ultra-long http header domains, or other long data . This vulnerability may result in an arbitrary command or a refusal service, which is generally dependent on the structure.
9.1.5 Rejecting Service
The reasons for rejecting services are varied, mainly including long URLs, special directories, ultra-long HTTP header domains, malformed HTTP Header, or DOS device files. Because the web server is not known when processing these special requests, the error is terminated or hangs.
9.1.6 Conditions Competition
The conditional competition here is mainly for some management servers, which is typically run as SYSTEM or ROOT. When they need to use some temporary files, they do not check the properties of the files before writing these files, which may generally lead to important system files to be rewritten, even system control.
9.2 Safety of CGI
Now let's talk about what is CGI (Co
MMON GATE INTERGACE. Physically, CGI is a program that runs on Server, providing an interface with a customer segment HTML page. This is probably not understood. Then we look at an actual example: Most of the current personal homepage have a message. The work of the speech is this: first by the user in the customer segment, enter some information, such as the name. The user then presses "message" (until the work is working in the client),
The browser transmits this information to the specific CGI program in the servers, so the CGI program is processed in a predetermined method on the server. In this example, the information submitted by the user is stored in the specified file. The CGI program then sends a message to the client, indicating that the task of the request is over. At this point, the user will see the word "end" in the browser. The whole process ends.
CGI is a shared gateway interface that can be called a mechanism. So you can write suitable CGI programs using different programs, including Visual Basic, Delphi or C / C , etc., you will already write well The program is running on the computer of the web server, and then runs the result to the client's browser via the web server. In fact, such preparation is more difficult and inefficient, because each modification must re-compile the CGI program into an executable file.
9.2.1 Why use CGI
CGI can provide us with a number of HTML unable features, such as:
One deciple
2. Customer information form submission and statistics
3. Search
4.Web database
With HTML is no way to remember any information from the customer, even if the user is willing to let you know. HTML is also not possible to record information in a particular file. To record the information of the customer segment on the server's hard drive, you should use the CGI. This is the most important role in CGI, which supplements the shortcomings of HTML. Yes, it is just a supplement, not an alternative.
9.2.2 CGI security issues
In the field of computer - especially on the Internet - Although the programs compiled most of the web servers do not protect their content without being infringed, as long as the CGI script has a certain security mistake - password file, private data, And anything can make
Intrusioners can access the computer. Follow some simple rules and remain vigilant to protect your CGI scripts from infringement, so you can protect your rights. The CGI security mentioned here, mainly includes two aspects, one is the security of the web server, one is that the security of the CGI language begins with the classification of CGI issues. Generally, the CGI problem has the following categories:
1. Exposure sensitive or insensitive information;
2. Some normal services provided by default are not closed;
3. Use some service vulnerabilities to execute commands;
4. Applications have remote overflows;
5. Programming vulnerabilities for non-universal CGI programs.
Let's take a detailed introduction to the vulnerability of CGI:
● Configuration error
The configuration error herein mainly refers to improper setting of the CGI program and the data file, which can cause CGI source or sensitive information leakage. There is also a frequent mistake that does not delete the installation script after installation of the CGI program so that an attacker may reset the data remotely. A few days ago, the "XX Great Alliance" forum has been black, and it is caused by this low-level error.
● Boundary condition error
This error is mainly for CGI written in C, using this error, attacker may initiate buffer overflow attacks, thereby promoting permissions.
● Access verification error
This problem is mainly because the conditions used for verification are not enough to determine the user's identity, often causes unauthorized access, modification, and even delete no access rights. Methods for determining user identity generally have two, one is account and password, one is Session certification. Insolithic certification methods include userid certification, Cook
IE certification, etc.
● Source verification error
More common ways to use this error attack is DOS, which is DOS, which is to refuse service attacks. If we know the irrigation machine, it is to use the CGI program without verifying the source of the article, thus uninterrupted articles, and finally leads to server hard drives. Full and hang.
● Enter the verification error
This error caused the most security problem, mainly because there is no special character. For example, there is no deformed registration caused by "% 20", no filtering ".." often causes the leak system file, no filtering "$" often leads to sensitive information in the leak page, no filtration ";" often leads to arbitrary System instruction, no filtration "" or "/ t" often leads to text file attacks, no filtering "'" and "#" often leads to the SQL database attack, no filter "<" and ">" caused by Cross-site scripting attack, etc. .
● Accidental processing failed
This error is also very common. If there is no inspection that the file is directly opened the device file, it is not checked whether the file is compared to the file extraction content, and the context attack causes any code.
● Policy error
This error is mainly due to the decision of the programmer of the CGI program. If the original password generation mechanism is fragile, the exhaustive password causes the poverty memory account password to cause sensitive information leakage, and uses different extension extensions with the CGI program to store sensitive information, which causes the file to be directly
Download, the loss password module directly allows the user to change the password directly instead of sending a password to the user's registration mailbox, using the account number and encrypted password when logging in, causing an attacker without knowing the user's original password to log in Wait.
● habits
Programmer's habits can also lead to security issues. When using certain text editors to modify the CGI program, ".bak" files often generate ".bak" files, if the programmer edits, did not delete these
Backup files may result in leakage of CGI source code. Also, if the programmer always likes some sensitive information (such as account password) in the CGI file, as long as the attacker has read permissions (or using some of the attack methods described above) may result in sensitive information leakage.
● Use errors
