【问题标题】:Pci-compliance Cross-site Scripting - contact formPci 合规性跨站点脚本 - 联系表
【发布时间】:2011-11-17 19:54:11
【问题描述】:

长期观看,第一次发帖。我是 php 新手,希望有人能提供帮助。我使用此网站上的联系表格Tutorial Stag Contact Form Php Ajax Jquery 遇到了 pci 合规问题。我想知道我需要做什么才能合规,我用控制扫描运行了代码,这就是返回的内容:

Summary: 
Cross-Site Scripting

Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004

Information From Target:
Regular expression ".{0,1}'.{0,1}">" matched contents of /contactform.php/'">.

Query Parameters

Fritko - '">
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:

XSS is a type of computer security vulnerability typically found 
in web applications which allow code injection by malicious web 
users into the web pages viewed by other users. Examples of such 
code include HTML code and client-side scripts. 

An attacker can use this vulnerability to completely alter the 
layout of a particular page for a specific user or to force the 
user to launch malicious javascript. 

Cross site scripting occurs when user input is not properly 
encoded by the application prior to display back to the user. In 
order to fix this issue, the application developers must encode 
most non-alphanumeric user-supplied data into their corresponding 
HTML characters before the data is displayed back to the user. For 
example, " would convert to &quot and < would convert 
to &lt; 

There are built in functions for different languages that may do 
the encoding for you. In PHP you can use the htmlspecialchars() 
function In .Net you can use the Server.HtmlEncode() function. 

在进行大量谷歌搜索时,我迷失了应该添加什么来解决问题。网站上的代码正是我使用的。你们能帮我解决这个问题吗?如果您访问该网站,您将能够查看完整的代码并帮助我,我将不胜感激!

【问题讨论】:

  • 您似乎使用自动化工具收集了这些信息。您需要手动查看给出的信息是否为误报。因此,您首先需要了解 XSS 是什么,并且您需要学习(阅读)相关代码。两者都是只能由您自己完成的操作(学习),这太宽泛了,恕我直言。

标签: php jquery contact-form cross-site pci-compliance


【解决方案1】:

尝试使用htmlspecialchars() 这会将 HTML 转换为指定用于表示原始内容的特殊字符,而无需浏览器评估。这可以防止某人提交带有“姓名”或“电话号码”的表单,比如

<iframe src="http://www.facebook.com/changepassword.php?newpass=test123&verify=test123" height=0 width=0>

如果不转义 HTML,如果将此数据输出到浏览器将是一个安全问题。如果转义,则将显示实际文本而不是 iframe。 (就像在这个网站上一样)

变化:

$javascript_enabled = trim($_REQUEST['browser_check']);   
$department = trim($_REQUEST['dept']);   
$name = trim($_REQUEST['name']);   
$email = trim($_REQUEST['email']);   
$phno = trim($_REQUEST['phno']);   
$subject = trim($_REQUEST['subject']);   
$msg = trim($_REQUEST['msg']);   
$selfcopy = trim($_REQUEST['selfcopy']);

到:

$javascript_enabled = trim(htmlspecialchars($_REQUEST['browser_check']));   
$department = trim(htmlspecialchars($_REQUEST['dept']));   
$name = trim(htmlspecialchars($_REQUEST['name']));   
$email = trim(htmlspecialchars($_REQUEST['email']));   
$phno = trim(htmlspecialchars($_REQUEST['phno']));   
$subject = trim(htmlspecialchars($_REQUEST['subject']));   
$msg = trim(htmlspecialchars($_REQUEST['msg']));   
$selfcopy = trim(htmlspecialchars($_REQUEST['selfcopy']));

【讨论】:

  • 这假定数据实际上会进入 MySQL。如果它被嵌入到电子邮件中,那么 mysql_real_escape_string() 比没用更糟糕。
  • 感谢回复,数据不会进入 MySQL。它只是发送到一个电子邮件地址,信息为纯文本。
  • 马克好!出于某种原因,我在想 htmlspecialchars,然后输入了 real_mysql_escape_string()。
  • 感谢大卫,我不确定在该代码中的何处放置 htmlspecialchars()。我会试试这个,让他们再扫描一次。
  • 正则表达式 ".{0,1}'.{0,1}">" 匹配的内容 /contactform.php/'"> 这在代码中指的是什么?只是 php 或 html 正文中的正则表达式?
猜你喜欢
  • 2011-06-07
  • 2014-11-28
  • 1970-01-01
  • 2010-12-22
  • 2011-09-02
  • 2011-06-13
  • 2017-05-26
  • 1970-01-01
  • 2011-05-12
相关资源
最近更新 更多