2
当我使用“Acunetix Web漏洞扫描器”扫描我的网站时,我非常惊讶。当我使用xss过滤获取参数时,Programm在页面上显示了很多xss漏洞。 例如:Codeigniter xss漏洞和其他安全问题
URL encoded GET input state was set to " onmouseover=prompt(967567) bad="
The input is reflected inside a tag parameter between double quotes.
我认为它是因为我不`吨显示404错误时,结果是空的(应该是)。我喜欢展示“的要求是空的”
我的控制器消息:
$this->pagination->initialize($config);
$this->load->model('aircraft_model');
$data['type'] = $this->input->get('type', TRUE);
$data['year'] = $this->input->get('year', TRUE);
$data['state'] = $this->input->get('state', TRUE);
$type_param = array (
'type' => $this->input->get('type', TRUE),
);
$parameters = array(
'year' => $this->input->get('year', TRUE),
'state_id' => $this->input->get('state', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['aircraft'] = $this->aircraft_model->get_aircraft($config['per_page'], $this->uri->segment(3, 1),$parameters, $type_param);
$data['title'] = 'Самолеты | ';
$data['error'] = '';
if (empty($data['aircraft']))
{
$data['error'] = '<br /><div class="alert alert-info"><b>По таким критериям не найдено ниодного самолета</b></div>';
}
$name = 'aircraft';
$this->template->index_view($data, $name);
即使当我打开全球XSS过滤程序发现XSS漏洞。 也许消息可能xss是错误的?
另外我有一个SQL注入。
Attack details:
Path Fragment input/was set to \
Error message found:
You have an error in your SQL syntax
SQL错误:
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 3
SELECT * FROM (`db_cyclopedia`) LIMIT -10, 10
控制器:
$this->load->model('cyclopedia_model');
$this->load->library('pagination');
$config['use_page_numbers'] = TRUE;
[pagination config]
$config['suffix'] = '/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$config['base_url'] = base_url().'cyclopedia/page/';
$count_all = $this->cyclopedia_model->count_all($this->input->get('type', TRUE));
if (!empty($count_all)){
$config['total_rows'] = $count_all;
}
else
{
$config['total_rows'] = $this->db->count_all('cyclopedia');
}
$config['per_page'] = 10;
$config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$this->pagination->initialize($config);
$parameters = array(
'cyclopedia_cat_id' => $this->input->get('type', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['type'] = $this->input->get('type', TRUE);
$data['cyclopedia'] = $this->cyclopedia_model->get_cyclopedia($config['per_page'], $this->uri->segment(3, 1),$parameters);
$data['title'] = 'Энциклопедия | ';
if (empty($data['cyclopedia']))
{
show_404();
}
$name = 'cyclopedia';
$this->template->index_view($data, $name);
而且一个有些问题,HTTP参数污染(GET参数)。
Attack details
URL encoded GET input state was set to &n954725=v953060
Parameter precedence: last occurrence
Affected link: /aircraft/grid/?type=&year=&state=&n954725=v953060
Affected parameter: type=
对不起,很多代码,但它的codeigniter /框架和安全第一次的经验。
UPDATE: 当网站的网址是这样site.com/1笨显示:
An Error Was Encountered
Unable to load your default controller. Please make sure the controller specified in your Routes.php file is valid.
如何制作节目404,而不是此消息?
总的来说CI安全性很弱。关于XSS过滤,他们采取了一种有点可疑的方法。 XSS是一个输出问题,他们把它当作输入问题来对待。你可以(应该)做的是用正则表达式或类似的东西检查每个输入参数。忘记'全球XSS检查',它不会那样工作。将每个可接受的模式值列入白名单。还要确保你逃脱了你注入SQL或其他语言的一切。 – 2013-03-01 13:41:49
@ patrick-savalle是否可以做你写的意思CodeIgniter? (如果是的话,你能告诉我如何对我的例子) 我不知道如何用正则表达式进行测试。 – Vitaliy 2013-03-01 14:05:11