从MapGuide Enterprise 2010针对XSS的的安全补丁看.Net 编程的安全性
2010-04-06 11:48
417 查看
跨站点脚本攻击Cross-site scripting (XSS) 是Web编程中常见的一种计算机安全隐患,他有可能使黑客通过一个精心设计的链接,进行脚本注入运行有害代码,从而有可能获取服务器的控制权进而从事其他有害活动。下面是摘自WIKIPedia的解释:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.
这个问题首先是有温哥华(Vancouve)在冬奥会前的一次安全检查中发现的,Autodesk和MapGuide OSGeo开源社区及时做了研究,并推出了这个安全补丁。如果你的MapGuide站点是供互联网公开访问的,建议你下载安装这个安全补丁。下载地址http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=14915431&linkID=9242179
Published date: 2010-Mar-30
ID: DL14915431 Applies to:
Autodesk MapGuide® Enterprise 2010 The following security hotfix addresses these issues: 1255324 - Cross Site Scripting vulnerabilities have been discovered in the MGE 2010 AJAX Viewer These files can be applied to MGE 2010 Update 1 (TBWeb Update 1) or MGE 2010 Update 1b only.
mge_2010_security_hotfix_1255324.zip (zip - 198Kb)
Readme (select language version): English French German Italian Japanese Spanish
针对MapGuide OpenSource的安全更新也将于明天发布。
下面我们从源码上简单分析一下这个问题。在MapGuide AjaxViewer中,其中某些页面需要接收参数,如下所示
http://ServerName/mapguide2010/mapviewerajax/mapframe.aspx?LOCALE= [LOCALE parameter] http://ServerName/mapguide2010/mapviewerajax/mapframe.aspx?MAPDEFINITION= [MAPDEFINITION parameter] … 我们看其中一个mapframe.aspx获取LOCALE的参数的相关源码,页面加载时会调用GetRequestParameters();来获取相关参数。
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
GetParameter的定义在common.aspx中
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
注意这里并为对参数做特殊检查,如何黑客输入一些精心设计的脚本代码作为参数,形如<script> *&(**&bad code goes here ^&&*&&**$##$%$%## </script>,那就有可能会给MapGuide站点造成损失。
其实补救办法也比较简单,就是我再加一道防线,对客户输入的参数进行验证,从而把恶意代码当在门外。在我们的补丁中做了如下修改:
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
用正则表达式来验证一下:
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
好了,现在放心多了! 如果你的系统还没打补丁的话,下载补一下吧。
这里讨论的是.net 版本的,Java版本和PHP版本也有同样的问题,并且有对应的补丁,你可以下载安装,再发一下地址http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=14915431&linkID=9242179 峻祁连(Daniel Du)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.
这个问题首先是有温哥华(Vancouve)在冬奥会前的一次安全检查中发现的,Autodesk和MapGuide OSGeo开源社区及时做了研究,并推出了这个安全补丁。如果你的MapGuide站点是供互联网公开访问的,建议你下载安装这个安全补丁。下载地址http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=14915431&linkID=9242179
Published date: 2010-Mar-30
ID: DL14915431 Applies to:
Autodesk MapGuide® Enterprise 2010 The following security hotfix addresses these issues: 1255324 - Cross Site Scripting vulnerabilities have been discovered in the MGE 2010 AJAX Viewer These files can be applied to MGE 2010 Update 1 (TBWeb Update 1) or MGE 2010 Update 1b only.
mge_2010_security_hotfix_1255324.zip (zip - 198Kb)
Readme (select language version): English French German Italian Japanese Spanish
针对MapGuide OpenSource的安全更新也将于明天发布。
下面我们从源码上简单分析一下这个问题。在MapGuide AjaxViewer中,其中某些页面需要接收参数,如下所示
http://ServerName/mapguide2010/mapviewerajax/mapframe.aspx?LOCALE= [LOCALE parameter] http://ServerName/mapguide2010/mapviewerajax/mapframe.aspx?MAPDEFINITION= [MAPDEFINITION parameter] … 我们看其中一个mapframe.aspx获取LOCALE的参数的相关源码,页面加载时会调用GetRequestParameters();来获取相关参数。
<script runat="server"> void GetRequestParameters() { if ("POST"== Request.HttpMethod) { GetParameters(Request.Form); } else { GetParameters(Request.QueryString); } } void GetParameters(NameValueCollection parameters) { type = GetParameter(parameters, "TYPE"); locale = GetParameter(parameters, "LOCALE"); if(locale == "") locale = GetDefaultLocale(); … …
}
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
GetParameter的定义在common.aspx中
String GetParameter(NameValueCollection parameters, String name) { String strval = parameters[name]; if (null == strval) return ""; return strval.Trim(); }
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
注意这里并为对参数做特殊检查,如何黑客输入一些精心设计的脚本代码作为参数,形如<script> *&(**&bad code goes here ^&&*&&**$##$%$%## </script>,那就有可能会给MapGuide站点造成损失。
其实补救办法也比较简单,就是我再加一道防线,对客户输入的参数进行验证,从而把恶意代码当在门外。在我们的补丁中做了如下修改:
void GetParameters(NameValueCollection parameters) { type = GetParameter(parameters, "TYPE"); // "DWF" or other sessionId = ValidateSessionId(GetParameter(parameters, "SESSION")); locale = ValidateLocaleString(GetParameter(parameters, "LOCALE")); // ... ... mapDefinition = ValidateResourceId(GetParameter(parameters, "MAPDEFINITION")); }
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
用正则表达式来验证一下:
String ValidateLocaleString(String proposedLocaleString) { // aa or aa-aa String validLocaleString = GetDefaultLocale(); // Default if(proposedLocaleString != null && (System.Text.RegularExpressions.Regex.IsMatch(proposedLocaleString, "^[A-Za-z]{2}$") || System.Text.RegularExpressions.Regex.IsMatch(proposedLocaleString, "^[A-Za-z]{2}-[A-Za-z]{2}$"))) { validLocaleString = proposedLocaleString; } return validLocaleString; }
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
好了,现在放心多了! 如果你的系统还没打补丁的话,下载补一下吧。
这里讨论的是.net 版本的,Java版本和PHP版本也有同样的问题,并且有对应的补丁,你可以下载安装,再发一下地址http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=14915431&linkID=9242179 峻祁连(Daniel Du)
相关文章推荐
- Autodesk MapGuide Enterprise 2010 Beta1 (English) 揭开面纱
- 如何升级到MapGuide Enterprise 2010?
- MapGuide Enterprise 2010版本发布后的一些解析
- MapGuide Enterprise 2010 Update 2 has been released
- 预告5月28号:Autodesk MapGuide Enterprise 2011 API 新功能培训
- Digitize using Fusion Viewer API in MapGuide Enterprise 2011
- MapGuide Enterprise 2011 授权错误的解决办法
- 关于.NET安全编程的书籍
- 概述Web编程的安全极其防护措施(主要针对PHP,PERL)[]
- .net安全编程 阅读笔记(二)
- .net 安全编程(序)
- PHP安全编程之register_globals的安全性
- 针对 .NET 框架的安全编码指南
- 《.NET 安全编程》 读书笔记(一、二、三)
- Autodesk MapGuide Enterprise 2011 Update 2 for Windows Released!
- 微软2月补丁星期二推出12款安全补丁:主要针对执行代码漏洞
- PHP安全编程:register_globals的安全性 全局变量注册
- 针对目前windows系统的所有勒索病毒补丁和安全工具
- .net安全编程 阅读笔记(三)
- 针对 .NET 框架的安全编码指南