跨站点脚本攻击Cross-site scripting (XSS) 是Web编程中常见的一种计算机安全隐患,他有可能使黑客通过一个精心设计的链接,进行脚本注入运行有害代码,从而有可能获取服务器的控制权进而从事其他有害活动。下面是摘自WIKIPedia的解释:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.
这个问题首先是有温哥华(Vancouve)在冬奥会前的一次安全检查中发现的,Autodesk和MapGuide OSGeo开源社区及时做了研究,并推出了这个安全补丁。如果你的MapGuide站点是供互联网公开访问的,建议你下载安装这个安全补丁。下载地址http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=14915431&linkID=9242179
Published date: 2010-Mar-30
ID: DL14915431
Applies to:
Autodesk MapGuide® Enterprise 2010
The following security hotfix addresses these issues:
1255324 - Cross Site Scripting vulnerabilities have been discovered in the MGE 2010 AJAX Viewer
These files can be applied to MGE 2010 Update 1 (TBWeb Update 1) or MGE 2010 Update 1b only.
mge_2010_security_hotfix_1255324.zip (zip - 198Kb)
Readme (select language version):
针对MapGuide OpenSource的安全更新也将于明天发布。
下面我们从源码上简单分析一下这个问题。在MapGuide AjaxViewer中,其中某些页面需要接收参数,如下所示
http://ServerName/mapguide2010/mapviewerajax/mapframe.aspx?LOCALE= [LOCALE parameter]
http://ServerName/mapguide2010/mapviewerajax/mapframe.aspx?MAPDEFINITION= [MAPDEFINITION parameter]
…
我们看其中一个mapframe.aspx获取LOCALE的参数的相关源码,页面加载时会调用GetRequestParameters();来获取相关参数。
<script runat="server"> void GetRequestParameters() { if ("POST"== Request.HttpMethod) { GetParameters(Request.Form); } else { GetParameters(Request.QueryString); } } void GetParameters(NameValueCollection parameters) { type = GetParameter(parameters, "TYPE"); locale = GetParameter(parameters, "LOCALE"); if(locale == "") locale = GetDefaultLocale(); … …
}
GetParameter的定义在common.aspx中
String GetParameter(NameValueCollection parameters, String name)
{
String strval = parameters[name];
if (null == strval)
return "";
return strval.Trim();
}
注意这里并为对参数做特殊检查,如何黑客输入一些精心设计的脚本代码作为参数,形如<script> *&(**&bad code goes here ^&&*&&**$##$%$%## </script>,那就有可能会给MapGuide站点造成损失。
其实补救办法也比较简单,就是我再加一道防线,对客户输入的参数进行验证,从而把恶意代码当在门外。在我们的补丁中做了如下修改:
void GetParameters(NameValueCollection parameters) { type = GetParameter(parameters, "TYPE"); // "DWF" or other sessionId = ValidateSessionId(GetParameter(parameters, "SESSION")); locale = ValidateLocaleString(GetParameter(parameters, "LOCALE")); // ... ... mapDefinition = ValidateResourceId(GetParameter(parameters, "MAPDEFINITION")); }
用正则表达式来验证一下:
String ValidateLocaleString(String proposedLocaleString)
{
// aa or aa-aa
String validLocaleString = GetDefaultLocale(); // Default
if(proposedLocaleString != null && (System.Text.RegularExpressions.Regex.IsMatch(proposedLocaleString, "^[A-Za-z]{2}$") ||
System.Text.RegularExpressions.Regex.IsMatch(proposedLocaleString, "^[A-Za-z]{2}-[A-Za-z]{2}$")))
{
validLocaleString = proposedLocaleString;
}
return validLocaleString;
}
好了,现在放心多了! 如果你的系统还没打补丁的话,下载补一下吧。
这里讨论的是.net 版本的,Java版本和PHP版本也有同样的问题,并且有对应的补丁,你可以下载安装,再发一下地址http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=14915431&linkID=9242179
峻祁连(Daniel Du)