Research on Attack-defense of PHP Web Application Upload Vulnerability

doi:10.3969/j.issn.1671-1122.2015.10.008

Abstract

Abstract:

The Web application set up by PHP (hypertext preprocessor) is the most widely use in the Internet. Once the PHP Web application with security vulnerability, the security of the data and the users of the system is greatly threaten. Because of this, the security vulnerability of PHP Web applications is getting more and more attention. How to secure the PHP Web application protection has become a hot spot in the research of the current. There is a lot of probability and the damage is great attack in the security of PHP Web. They are XSS vulnerability, SQL injection vulnerability, code execution vulnerability and upload vulnerability etc. So far, there has been a system of defensive research in XSS, SQL vulnerabilities and code execution vulnerability and other fields, the SQL injection is more popular in the top. Correspondingly, the Web PHP applications of upload vulnerability are lack of a systematic attack and defense research. Related content could appear in only one chapter in an article, some of these prevention methods are outdated, and many of the latest attack techniques and prevention methods are not involved. The article analyzes carefully on the file upload attack in PHP Web application and gives the corresponding protective measures, and sums up some security development suggestions about file-upload capabilities in PHP Web application.

Key words: PHP Web, vulnerability, file upload, attack-defense

CLC Number:

TP309

WEI Kun-peng, GE Zhi-hui, YANG Bo. Research on Attack-defense of PHP Web Application Upload Vulnerability[J]. Netinfo Security, 2015, 15(10): 53-60.

Figures/Tables 5

References 26

[1]	国家计算机网络应急技术处理协调中心. 2014年中国互联网网络安全报告[R]. 北京:CNCERT,091913,2015.
[2]	LAMP[EB/OL]. ,2015-06-20.
[3]	程茂华. PHP安全漏洞防范研究[J]. 信息安全与技术,2013,4(7):75-77.
[4]	LOUREIRO N.Programming PHP with security in mind[J]. Linux journal, 2002, (102): 64-67.
[5]	徐勇,郑晓明. 万能上传击溃ASP／PHP／JSP脚本系统[J]. 黑客防线,2004,(11):8-13.
[6]	杨宁. PHP漏洞挖掘之旅——详解PHP文件上传漏洞(一)[J]. 黑客防线,2007,(8):31-34.
[7]	杨宁. PHP漏洞挖掘之旅——详解PHP文件上传漏洞(二)[J]. 黑客防线,2007,(9):32-33.
[8]	王威. PHP网站安全性的分析研究及其在图片上传系统中的应用[D]. 北京:北京邮电大学,2011.
[9]	程茂华. 基于PHP安全漏洞的Web攻击防范研究[J]. 信息安全与技术,2013,4(5):53-55.
[10]	AMIT Y, HAY R, SALTZMAN R. Testing web applications for file upload vulnerabilities: U.S. Patent 9,009,841[P].2015-4-14.
[11]	池阳,高健,周福才. 基于ISAPI过滤器的Web防护系统[J]. 信息网络安全,2014,(7):35-40.
[12]	梦幻剑客. PHP漏洞引发的入侵[J]. 黑客防线,2008,(10):17-18.
[13]	Apache. Terms Used to Describe Directives - Apache HTTP Server Version 2.4[EB/OL]. , 2015-06-20.
[14]	WooYun. Apache文件名解析缺陷漏洞[EB/OL]. , 2015-07-20.
[15]	bghost. 浅谈变形PHP WEBSHELL检测[EB/OL]. , 2015-07-15.
[16]	冯硕,李永义. PHP安全模式漏洞分析[J]. 网络安全技术与应用,2011,(4):9-11.
[17]	何鹏程,方勇. 一种基于Web日志和网站参数的入侵检测和风险评估模型的研究[J]. 信息网络安全,2015,(1):61-65.
[18]	php. PHP: 安全模式- Manual[EB/OL]. , 2015-08-01.
[19]	Heiderich M, Nava E A V, Heyes G, et al. Web application obfuscation Elsevirer[M]. Bochum: Syngress, 2011.
[20]	段娟,辛阳,马宇威. 基于Web应用的安全日志审计系统研究与设计[J]. 信息网络安全,2014,(10):70-76.
[21]	王琳,张小梅. 软件补丁管理在网络信息安全中的作用及趋势[J]. 武汉理工大学学报,2005,(27):87-89.
[22]	尹宏飞. Windows系统预防[J]. 科技创新与应用,2015,(3):64-64.
[23]	叶嘉羲,张权,王剑. 基于权限控制和脚本检测的Webview漏洞防护方案研究[J]. 信息网络安全,2015,(3):38-43.
[24]	魏坤玉,万仲保. Apache Web Server的安全性配置[J]. 计算机与现代化,2005,(3):107-109.
[25]	周永强. 基于Linux系统的Apache服务器安全对策[J]. 电脑开发与应用,2013,(12):64-66.
[26]	孟正,梅瑞,张涛,等. Linux下基于SVM分类器的WebShell检测方法研究[J]. 信息网络安全,2014,(5):5-9.