1

我使用 CheckMarx 平台来测试我的网站的安全性(测试联系表格),但不幸的是它告诉我有关标头注入风险,我已经为此应用了一些检查,但它仍然告诉我风险

究竟是什么问题?我希望你能理解这个问题,非常感谢你的建议!

这是我的php代码:

/* Preventing header injection */
function cleaninjections($test) {
// Remove injected headers
    $find = array("/bcc\:/i",
        "/Content\-Type\:/i",
        "/Mime\-Version\:/i",
        "/cc\:/i",
        "/from\:/i",
        "/to\:/i",
        "/Content\-Transfer\-Encoding\:/i");
    $ret = preg_replace($find, "", $test);
    return $ret;
}

// Specify which fields to require from form
$required_fields = array('name','email','phone', 'additional_info', 'company_type');

$errors = array();
$message = "";

foreach($_POST as $key => $value){
    $_POST[$key] = trim($value);
    $_POST[$key] = cleaninjections($value);
}

// Check required fields and return error if blank
foreach($required_fields as $value){
    if(!isset($_POST[$value]) || empty($_POST[$value])){
        $errors[] = "אנא מלא את כל השדות"; // message about empty fields  "אנא מלא את כל השדות"
    }
}

// Validate name field. Accepts a-z, space, period for Dr., and ' for O'Malley
if(isset($_POST['name']) && !empty($_POST['name'])){
    if(!preg_match("/^[a-z '.]+$/i",stripslashes($_POST['name']))){
        $errors[] = "שם לא חוקי"; // message about invalid name 'שם לא חוקי'
    }
}

// Validate email field
if(isset($_POST['email']) && !empty($_POST['email'])){
    if(!preg_match("/^[a-z0-9_.-]+@[a-z0-9.-]+.[a-z]{2,6}$/i",stripslashes($_POST['email']))){
        $errors[] = "כתובת דואר אלקטרוני אינה תקינה"; /* 'כתובת דואר אלקטרוני אינה תקינה' */ /* message about incorrect email */
    }
}

// Display any errors and exit if errors exist.
if (count($errors)) {
    $errors = array_unique($errors);
    foreach ($errors as $value) {
        print "<li> $value</li>";
    }
    exit;
}
/* Preventing header injection */

CheckMarx 顺序中的错误消息示例(其中之一):

注意短信

您还可以检查所有 PHP 代码:

<?php

/* Preventing header injection */
function cleaninjections($test) {
// Remove injected headers
    $find = array("/bcc\:/i",
        "/Content\-Type\:/i",
        "/Mime\-Version\:/i",
        "/cc\:/i",
        "/from\:/i",
        "/to\:/i",
        "/Content\-Transfer\-Encoding\:/i");
    $ret = preg_replace($find, "", $test);
    return $ret;
}

// Specify which fields to require from form
$required_fields = array('name','email','phone', 'additional_info', 'company_type');

$errors = array();
$message = "";

foreach($_POST as $key => $value){
    $_POST[$key] = trim($value);
    $_POST[$key] = cleaninjections($value);
}

// Check required fields and return error if blank
foreach($required_fields as $value){
    if(!isset($_POST[$value]) || empty($_POST[$value])){
        $errors[] = "אנא מלא את כל השדות"; // message about empty fields  "אנא מלא את כל השדות"
    }
}

// Validate name field. Accepts a-z, space, period for Dr., and ' for O'Malley
if(isset($_POST['name']) && !empty($_POST['name'])){
    if(!preg_match("/^[a-z '.]+$/i",stripslashes($_POST['name']))){
        $errors[] = "שם לא חוקי"; // message about invalid name 'שם לא חוקי'
    }
}

// Validate email field
if(isset($_POST['email']) && !empty($_POST['email'])){
    if(!preg_match("/^[a-z0-9_.-]+@[a-z0-9.-]+.[a-z]{2,6}$/i",stripslashes($_POST['email']))){
        $errors[] = "כתובת דואר אלקטרוני אינה תקינה"; /* 'כתובת דואר אלקטרוני אינה תקינה' */ /* message about incorrect email */
    }
}

// Display any errors and exit if errors exist.
if (count($errors)) {
    $errors = array_unique($errors);
    foreach ($errors as $value) {
        print "<li> $value</li>";
    }
    exit;
}
/* Preventing header injection */

// MailChimp API credentials
$apiKey = '17837943924******dbccb48e99-us18';
$listID = 'c0*****c9fa';

// MailChimp API URL
$memberID = hash('sha256', strtolower($_POST['email']));
$dataCenter = substr($apiKey,strpos($apiKey,'-')+1);
$url = 'https://' . $dataCenter . '.api.mailchimp.com/3.0/lists/' . $listID . '/members/' . $memberID;

// member information
$json = json_encode([
    'email_address' => $_POST['email'],
    'status'        => 'subscribed',
    'merge_fields'  => [
        'FNAME'     => $_POST['name'],
        'PHONE_NUMB'=> $_POST['phone'],
        'ADD_INFO'  => $_POST['additional_info'],
        'C_TYPE'    => $_POST['company_type'],
    ]
]);

// send a HTTP POST request with curl
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_USERPWD, 'user:' . $apiKey);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, $json);
$result = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch); ?>
4

2 回答 2

1

问题是您的函数cleaninjections只是刷了一些标题。所以对于 Checkmarx 来说,由于 header 很多,它认为是HTTP 注入 header的可能性

于 2018-09-20T09:17:06.390 回答
-1

好吧,您将用户数据用作 curl 的参数,即使您对输入进行了某种验证并将其放入 json 中,仍然可能存在某种“绕过”,我没有足够的时间考虑一种可能的方法来利用这一点,但是,将用户数据传递给 curl 之类的东西仍然不是一个好习惯。

这么说,你可能是安全的,除非可能的攻击者以某种方式设法看到这个源,否则很难通过黑盒渗透测试来利用它,不幸的是,我不是 curl 漏洞利用方面的专家,但这篇文章可以无论如何,正如我所说,你可能是安全的,特别是因为你正在使用 json 编码,它会清理你给他的数据。

TL;DR:你不应该担心太多,因为你正在使用 json_encode

https://statuscode.ch/2016/01/subtle-vulnerabilties-with-php-and-curl/

于 2018-09-03T08:50:35.870 回答