By Shaun Clowestranslated by Analysist
http://www.china4lert.org/
[Library file] As we discussed earlier, include () and require () are mainly to support the code base, because we generally put some frequently used functions in a separate file, this independent file is the code base. When you need to use a function, we can use this code base to the current file. Initially, when people develop and publish PHP programs, in order to distinguish between code libraries and main programming, they are generally set to the code library file, but they quickly discovered that this is a mistake, because such files Unable to be parsed as a PHP code correctly by the PHP interpreter. If we directly request this file on the server, we get the source code of the file, because when PHP is used as the module of the Apache, the PHP interpreter is based on the file extension decision whether to resolve to PHP. Code. The extension is specified by the site administrator, generally ".php", ".php3", and ".php4". If important configuration data is included in a PHP file with no suitable extension, the remote attacker is easy to get this information. The simplest solution is to give each file all the extensions of a PHP file, which prevents the problem of leaking source code, but has produced a new problem, by requesting this file, an attacker may make this The code running in the context environment runs independently, which may result in all the attacks discussed earlier. Here is an obvious example: in main.php: Php $ libdir = "/ libdir"; $ langdir = "$ libdir / language"; ... include ("$ libdir / loadLanguage.php":?> IN libdir / loadLanguage.php: Php ... include ("$ langdir / $ userlang");?> When "libdir / loadLanguage.php" is called "main.php", it is quite safe, but because " Libdir / loadLanguage "has an extension of" .php ", so remote attacker can request this file directly, and can specify" $ langdir "and" $ userlang "value. [session file] PHP 4 or updated version Support for sessions, its main role is to save status information between pages and pages in the PHP program. For example, when a user logs in to the website, he logs in to this website and who is saved in Session. In the case of browsing in the website, all PHP code can get these status information. In fact, when a session starts (actually set to automatically start in the configuration file), Just generate a random "session ID", if the remote browser is always submitted to this "session ID" when sending a request, Session will remain. This is easy to implement by cookie, or by submitting one by each page The form variable (including "session ID") is implemented .PHP program can register a special variable with session, which will be loaded in the session file after each PHP script, will be loaded before each PHP script begins Variables.
Here is a simple example: Phpsession_destroy (); // kill any data currently in the session $ session_auth = "shaun"; session_register ("session_auth"); // Register $ session_auth as a session variable?> New version PHP automatically sets the value of "$ session_auth" to "Shaun". If they are modified, the subsequent scripts will automatically accept the modified value, which is really a very good tool for the stateless Web, but We should also be careful. A obvious question is to ensure that the variable is indeed from sessions, for example, given the above code, if the subsequent script is the following: Phpif (! EMPTY ($ session_auth)) // Grant Access to site here?> Above The code is assumed that if "$ session_auth" is set, it is from the session instead of input from the user. If the attacker is set by the form, he can get access to the site. Note that the attacker must use this attack method before the SESSION is registered. Once the variable is placed in the session, it will override any form input. Session data is typically saved in the file (location is configurable, generally "/ tmp"), the file name is generally similar to "sess_
The above problem should be carefully considered, for example, we should not test whether a variable is "0" in a place, and use EMPTY () in another place to verify. [Easy to error "] When we analyze the vulnerabilities in the PHP program, if you get the source code, then a list of easy error is very much. If we can remotely change the parameters of these functions, then we are likely to discover the vulnerabilities. Here is a list of more detailed error-in-one.:
* Setting "allow_url_fopen" to "OFF" option can ban remote file function, it is recommended, the article is here, if you want to know some other related information, please refer to the original text: http://www.securereality. com.au/studyinscarlet.txt
"Full text"