如何避免drupal隐藏字段上的缓冲区溢出?

时间:2012-04-18 07:50:48

标签: php security drupal

我使用IBM Appscan在已完成的网站上进行了测试运行,并且它返回了一堆与drupal搜索表单块有很大关系的错误。以下是其中一个错误的摘录:

    [13 of 37] Parameter Value Overflow
Severity: High
Test Type: Application Invasive
Vulnerable URL: http://[my-web-address]/contact
CVE ID(s): N/A
CWE ID(s): 120
Remediation Tasks: Limit the length of input fields to avoid buffer overflow
Variant 1 of 5 [ID=97491]
The following changes were applied to the original request:
• Set parameter 'form_build_id's value to
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA...
**Request/Response:**
This request/response contains binary content, which is not included in generated
reports.
**Validation In Response:**
N/A
**Reasoning:**
The test caused the server to stop responding (an erroneous response was returned, such as cut
connection or time out). The original request was then resent and also failed, confirming that the
server had stopped responding.

感谢关于需要做什么的任何指示,谢谢。

2 个答案:

答案 0 :(得分:0)

如果您使用非英语输入形式的语言,最好使用mb_substr()函数,它保留奇怪的字符,如é, ù等...(几乎像kirilloid解决方案)和{{ 1}} function,它剥离标签并可选择剥离或编码特殊字符,以保护自己免受不同类型的注入攻击。

filter_var()

以下是mb_substr()详细信息和此处filter_var()详细信息。 请注意,$form_build_id = mb_substr(filter_var($_GET['form_build_id'],FILTER_SANITIZE_STRING), 0, 100); 需要PHP 4.0.6或更高版本,mb_substr()函数需要PHP 5.2或更高版本。

答案 1 :(得分:0)

'form_build_id'输入是Drupal的Form API的内部标识符。它在drupal_build_form()的早期使用。它应该是一个base-64编码的sha-256哈希,用+替换为 - ,/用_和删除任何=填充字符。

在缓冲区溢出发生之前,表单更改函数可能无法触及它。所以,对它进行消毒的正确位置是drupal_build_form(),类似

  [...]
  $check_cache = isset($form_state['input']['form_id']) && $form_state['input']['form_id'] == $form_id && !empty($form_state['input']['form_build_id']);
  if ($check_cache) {
    $form_build_id = drupal_substr(filter_var($form_state['input']['form_build_id'],FILTER_SANITIZE_STRING), 0, 100); 
    $form = form_get_cache($form_build_id, $form_state);
  }
  [...]

但最好是在Drupal.org上report this as a security issue并在那里提交你的补丁。这将是解决您的问题并进行审核的最佳位置。

相关问题
最新问题