发表新帖
发表新帖

php security for location header injection via $_GET

后端 未结
关注
4 1965
有刺的猬
有刺的猬 2021-01-20 15:24

I\'ve got this code on my page:

header(\"Location: $page\");

$page is passed to the script as a GET variable, do I need any security? (if so what)

<
相关标签:
4条回答
  • 深忆病人
    2021-01-20 15:48

    Yes, you do. Just because you or I can't immediately think of a way to take advantage of that little bit of code doesn't mean a more clever person can't. What you want to do is make sure that the redirect is going to a page that you deem accessible. Even this simple validation could work:

    $safe_pages = array('index.php', 'login.php', 'signup.php');
if (in_array($page, $safe_pages)) {
  header("Location: $page");
}
else {
  echo 'That page is not accessible.';
}
    0 讨论(0)
  • 生来不讨喜
    2021-01-20 15:49

    I could forward your users anywhere I like if I get them to click a link, which is definitely a big security flaw (Please login on www.yoursite.com?page=badsite.com). Now think of a scenario where badsite.com looks exactly like your site, except that it catches your user's credentials.

    You're better off defining a $urls array in your code and passing only the index to an entry in that array, for example:

    $urls = array(
    'pageName1' => '/link/to/page/number/1',
    'pageNumber2' => '/link/to/page/number/2',
    'fancyPageName3' => '/link/to/page/number/3',
);
# Now your URL can look like this:
# www.yoursite.com?page=pageName1
    0 讨论(0)
  • 无人及你
    2021-01-20 15:55

    Or, at the very least, define a whitelist of allowed URLs, and only forward the user if the URL they supplied is in the GET variable is in the list.

    0 讨论(0)
  • 悲&欢浪女
    2021-01-20 16:11

    This is a code injection vulnerability by the book. The user can enter any value he wants and your script will obey without any complaints.

    But one of the most important rules – if even not the most important rule – is:

    Never trust the user data!

    So you should check what value has been passed and validate it. Even though a header injection vulnerability was fixed with PHP 4.4.2 and 5.1.2 respectivly, you can still enter any valid URI and the user who calls it would be redirected to it. Even such cryptic like ?page=%68%74%74%70%3a%2f%2f%65%76%69%6c%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d%2f what’s URL encoded for ?page=http://evil.example.com/.

    0 讨论(0)
 看不清?
提交回复
热议问题