Websecurify访问应受保护的页面

时间:2012-03-13 13:17:15

标签: php security authentication bots unauthorized

我已经用PHP创建了一个应用程序。我不是OOP开发人员,我知道我所知道的一切都是我自己学到的。我有一个登录屏幕和一个文件,我把它包含在我的所有文件的顶部。这些文件检查用户是否已获得授权以及会话是否正常,然后授予访问权限,否则会重定向到登录页面。

我认为这是安全的,但我使用了Websecurify(chrome addon),它给了我许多安全错误,我必须检查。这些错误来自php页面,其中“受保护”的用户名/密码认证和会话cookie。

Websecurify访问表单,发布数据并为应该受到保护的页面做了很多事情。如何保护我的脚本免受抓取工具和漫游器的攻击?

websecurify也谈到了apache身份验证=“该应用程序使用了WWW身份验证。这种身份验证通常被认为是不安全的,容易受到一系列攻击。”

这是真的吗?我真的需要你的意见如何保护我的PHP脚本免受未经授权的访问。

我在所有php脚本的顶部包含的文件是这个

session_start();

// set timeout period in seconds
$inactive = 3600;

// check to see if $_SESSION['timeout'] is set
if( isset($_SESSION['timeout']) ) 
{
  $session_life = time() - $_SESSION['timeout'];
  if( $session_life > $inactive )
  { 
    session_destroy(); 
    header("location:http://localhost/test/login.php"); 
  }
}
$_SESSION['timeout'] = time();



if( !isset($_SESSION['client']) )
{

  header("location:http://localhost/test/login.php");
}
else
{
  // authorize user and store some session vars
}

我的登录页面是

<?php
session_start();
if($_GET['a']=="logout") {session_destroy();header("location:login.php");}
if(!isset($_SESSION['attempts'])) {$_SESSION['attempts'] = 0; session_commit();}
session_start();

?>
<?php
include_once("vars.php");
include ('mysql_connect.php');
$username=mysql_real_escape_string($_POST["username"]);
$password=mysql_real_escape_string($_POST["password"]);


if($_SESSION['attempts']==4){
    echo "<div class=\"error\">You can try one more time.</div>";
    }

if($_SESSION['attempts']>4){


// check if blocked username

$sql="SELECT * FROM isec_block WHERE username = '$username' and status=1";
$sql=mysql_query($sql);
$sql_row = mysql_fetch_array($sql);
$allrows = mysql_num_rows($sql);
$nowdate = strtotime(date('Y-m-d H:i:s'));
if($allrows>0){
$db_date = strtotime($sql_row['time_limit']);


    if($db_date < $nowdate){
    //unblock user
    $sql="UPDATE isec_block SET status=0 WHERE username = '$username'";
    $sql=mysql_query($sql);
    echo "<div class=\"error\">Notice: Your account is open now.</div>";
    $_SESSION['attempts'] = 0; session_commit();
    session_start();
    }else{
    $error=1;
    echo "<div class=\"error\">Multiple failed login attempts.</div>";
    }
}

// eof check if blocked username

$error=1;
if($_SESSION['attempts']>0) echo "<div class=\"error\">ERROR: Ty again in 30 minutes please.</div>";
$ip =  $_SERVER['REMOTE_ADDR'];



    if($_SESSION['attempts']==5){

    // store error login
    $sql="INSERT INTO `isec_log` (username,ip,date,status) VALUES ('".$username."','$ip',NOW(),1)";
    $result=mysql_query($sql);

    // block username for x time
    $timeToBuildStructure = 300; // seconds
    $now = time(); // current time (seconds since 1/1/1970)
    $finishedBuilding = $now + $timeToBuildStructure;
    $newdate = date("Y-m-d H:i:s",$finishedBuilding);
    $sql="INSERT INTO isec_block (username,time_limit,status) VALUES ('".$username."','$newdate',1)";
    $result=mysql_query($sql);
    }

$_SESSION['attempts']= $_SESSION['attempts'] + 1;
}



if($username!=="" && $password!=="" && $error<>1)
{
    $sql="SELECT * FROM isec_usertable WHERE username='$username' AND password='$password'";
    $result=mysql_query($sql);
    $row_result= mysql_fetch_assoc($result);
    $authenticated = $row_result['username'];
    $authenticatedid = $row_result['id'];
    $authenitcatedate = $row_result['Lastvisit'];
    $authenticatedtype = $row_result['rights'];
    $authenticatestatus = $row_result['status'];
    $rows=mysql_num_rows($result);


       if ($rows==1 and $authenticatestatus==1){
       $_SESSION['client']=$authenticated;
       $_SESSION['id']=$authenticatedid;
       $_SESSION['ldate'] = $authenitcatedate;
       $_SESSION['rights'] = $authenticatedtype;
       $_SESSION['client_id'] = $row_result['client'];
       $_SESSION['isLoggedIn'] = true;
       $_SESSION['imagemanager.filesystem.rootpath'] = "../../../../../UserFiles/".$authenticatedid;

       // add visit data
       $ip =  $_SERVER['REMOTE_ADDR'];
       $visitdate="UPDATE `usertable` SET Lastvisit=NOW(), visits=visits+1 WHERE id='$authenticatedid'";
       $result=mysql_query($visitdate);
       // eof visit date

       // store error login
        $sql="INSERT INTO isec_log (username,ip,date,status) VALUES ('$username','$ip',NOW(),0)";
        $result=mysql_query($sql);
       header("location:index.php");
       } else {
       $_SESSION['attempts']= $_SESSION['attempts'] + 1;
        //header("location:login.php?er=1");
        echo "<div class=\"error\">ERROR: Wrong passoword or inactive account</div>";
       $error=1; }
}


?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
<link href="general_css.css" rel="stylesheet" type="text/css" />
</head>
<body><?php if($_GET['er']==1) {echo "<div class=\"error\">ERROR: Wrong password or inactive account</div>";} ?>
<div id="container">
    <div id="logo"><img src="template/isec-logogif.gif" width="285" height="64" /></div>
    <?php include_once("header-icons.php");?>
    <div id="main">
<div class="actionsblock">
            <div class="actionheader">Login</div>
              <form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
                <table width="100%" border="0" cellspacing="5" cellpadding="5">
                  <tr>
                    <td width="17%" class="menublock"><div align="right"><a href="pages/clients-add.php"></a><a href="pages/clients.php"></a>Username</div></td>
                    <td width="17%" class="menublock"><label>
                      <input name="username" type="text" class="formfield_client" id="username" value="<?php echo $_POST['username'];?>" />
                    </label></td>
                  </tr>
                  <tr>
                    <td class="menublock"><div align="right">Password</div></td>
                    <td class="menublock"><input name="password" type="password" class="formfield_client" id="password" /></td>
                  </tr>
                  <tr>
                    <td class="menublock"><div align="right"><a href="myip.php?ip=<?php echo $_SERVER['REMOTE_ADDR'];?>" target="_blank"><img src="template/dot.gif" alt="ip" width="10" height="9" /></a></div></td>
                  <td class="menublock"><label>
                      <input type="submit" name="submit" id="submit" value="Connect" />
                    </label></td>
                  </tr>
                </table>
      </form>
      </div>
    </div>

</div>
</body>
</html>

<?php
mysql_close($dbc);
?>

1 个答案:

答案 0 :(得分:0)

这是非常不安全的代码。您无法阻止访问任何页面。您不是哈希密码,它易受XSS攻击。

让我们从访问控制开始: header()函数向响应添加任意http标头,但PHP代码正常执行。

不会阻止访问任何内容,它只会重定向浏览器: header("location:http://localhost/test/login.php");

这就像说这行代码阻止访问:

header("Message: Go away!");

这可以通过调用die()来阻止对页面的访问:

header("location:http://localhost/test/login.php");
die();

xss vectors:

  

echo $ _POST ['username'];

     

echo $ _SERVER ['PHP_SELF'];

修补:

  

echo htmlspecialchars($ _ POST ['username'],ENT_QUOTES);

     

echo htmlspecialchars($ _ SERVER ['PHP_SELF'],ENT_QUOTES);

相关问题
最新问题