Table of contents
Host header attack (high risk)
Domain name access restrictions are not strict (high risk)
Session Hijacking Vulnerability (Medium Severity)
Session Fixation Vulnerability (Medium Severity)
DNS Domain Transfer Vulnerability (Medium Severity)
Website hacking traces detected (high risk)
Insufficient Transport Layer Protection Vulnerability (Medium Severity)
The server has enabled the TRACE Method method (medium risk)
Clickjacking Vulnerability (Missing X-Frame-Options Header) (Medium Severity)
Unsafe HTTP method enabled (OPTIONS method enabled) (medium risk)
Tomcat version too low vulnerability (medium risk)
Apache Tomcat Examples Directory Vulnerability (Medium Severity)
SpringBlade framework default SIGN_KRY key (CVE-2021-44910) (high risk)
SSL/TLS server Diffie-Hellman public key vulnerability (high risk)
OpenSSL Remote Memory Leak Vulnerability (Heartbleed Vulnerability) (High Severity)
Apache apisix default key vulnerability (CVE-2020-13945) (high risk)
Arbitrary User Password Reset Vulnerability (High Risk)
Captcha Vulnerability (High Risk)
Brute Force Vulnerability (Medium Risk)
SMS bombing vulnerability (medium risk)
Username Guessing Vulnerability (Medium Risk)
SNMP Default Community Name Vulnerability (High Risk)
Source code information leakage (high risk)
Error Page Information Disclosure (Application Error Message) (Medium Risk)
Directory Traversal (High Risk)
IIS Short Filename Vulnerability (Medium Severity)
Robots.txt file disclosure (medium risk)
PHP Probe Information Disclosure (Medium Risk)
PHPINFO Page Leakage (Medium Risk)
Unencrypted login request (low risk)
Sensitive information leakage of Zhiyuan OA A6 employees (medium risk)
Dedecms-cve-2018-6910 information disclosure vulnerability (medium risk)
Solr admin information disclosure (high risk)
SSL/TLS RC4 information disclosure vulnerability CVE-2013-2566 (high risk)
ThinkPHP Information Leakage (Medium Risk)
LARAVEL Sensitive Information Leakage (High Risk)
Unauthorized access (high risk)
Privilege Escalation Vulnerability (High Risk)
Memcached Unauthorized Access Vulnerability (High Risk)
Rsync Unauthorized Access Vulnerability (High Risk)
Cisco vpn unauthorized access (high risk)
Mongodb database unauthorized access vulnerability (high risk)
Redis database unauthorized access vulnerability (high risk)
Unauthorized access to .htaccess files (high risk)
Phpmyadmin unauthorized access (high risk)
Druid Unauthorized Access Vulnerability (Medium Severity)
Springboot unauthorized access (high risk)
CRLF Injection Vulnerability (High Severity)
Framework Injection Vulnerability (High Risk)
XSS cross-site scripting vulnerability (high risk)
JQuery version is too low (JQuery low version has cross-site) (medium risk)
Unicode Conversion Vulnerability (High Severity)
File upload, file inclusion, file reading, SSRF class
File upload vulnerability (high risk)
WebDav file upload/information disclosure vulnerability (high risk)
Local file inclusion vulnerability (high risk)
Remote file inclusion vulnerability (high risk)
Arbitrary file read vulnerability (high risk)
Arbitrary file download vulnerability (high risk)
SSRF (Server Request Forgery) (high risk)
ShopXO arbitrary file reading (high risk)
Resin Arbitrary File Read Vulnerability (High Risk)
Command execution, code execution class
Struts2 dev-mod command execution vulnerability (high risk)
S2-005 Command Execution Vulnerability (High Risk)
S2-009 Command Execution Vulnerability (High Risk)
S2-016 Command Execution Vulnerability (High Risk)
S2-017 URL jump vulnerability (high risk)
S2-019 Command Execution Vulnerability (High Risk)
S2-032 Command Execution Vulnerability (High Risk)
S2-037 Command Execution Vulnerability (High Risk)
S2-045 Command Execution Vulnerability (High Risk)
S2-046 Command Execution Vulnerability (High Risk)
S2-052 Command Execution Vulnerability (High Risk)
S2-053 Command Execution Vulnerability (High Risk)
JDWP Remote Command Execution Vulnerability (High Risk)
ElasticSearch Command Execution Vulnerability (High Risk)
GNU Bash Remote Command Execution (High Risk)
Weblogic Java Deserialization Remote Command Execution Vulnerability (High Risk)
shiro deserialization command execution vulnerability (high risk)
JBoss deserialization command execution vulnerability (high risk)
JBoss JMXInvokerServlet Remote Command Execution Vulnerability (High Risk)
ThinkPHP command execution (high risk)
Apache ActiveMQ Remote Code Execution Vulnerability (CVE-2016-3088) (High Risk)
JBoss Seam parameterized EL expression remote code execution vulnerability (high risk)
HPPT.sys Remote Code Execution Vulnerability (MS15-034) (High Risk)
Webview Remote Code Execution Vulnerability (High Risk)
slowhttp denial of service attack (medium risk)
Can be copied directly using:
If the file is saved in .md format, the title will be automatically generated, but it needs to be opened with an editor that supports .md. The blogger uses Typora (a Markdown editor and reader).
# 漏洞介绍以及修复建议
# 未分类
## Host 头攻击(高危)
*介绍:*
对开发人员来说,提取请求头中的Host参数写入当前页面是一个很不明智的选择。因为如果这样,攻击者就可以通过修改HTTP请求头中的Host字段,控制服务器返回页面中的URL。
修复:
不允许读取Host字段并写入页面。如有需要,应使用服务器脚本自带的SERVER_NAME变量。
## 域名访问限制不严格(高危)
*介绍:*
目标存在域名访问限制不严格漏洞,Http请求的Hostname字段没有严格的域名限制,导致可以绕过一些防护措施。
修复:
配置WEB服务器,限制只能以域名形式访问服务器。
## **URL 重定向(中危)**
*介绍:*
URL 重定向 (URLredirection) 漏洞,又称跳转漏洞,指的是网络应用程序接受用户可控的输入作为到外部站点的链接,然后在重定向中使用该链接。该安全漏洞给网络钓鱼攻击提供了极大的便利。
*修复:*
1.referer的限制
如果确定传递URL参数进入的来源,可以通过该方式实现安全限制,保证该URL的有效性,避免恶意用户自己生成跳转链接。
2.加入有效性验证Token
保证所有生成的链接都是来自于可信域的,通过在生成的链接里加入用户不可控的Token对生成的链接进行校验,可以避免用户生成自己的恶意链接从而被利用。
3.URL白名单,在白名单内才进行跳转
## 会话劫持漏洞**(中危)**
*介绍:*
攻击者通过暴力破解、预测或者窃取(网络嗅探/XSS攻击)等方式获取用户Session ID后,使用该Session ID登录目标账号的攻击方法。
*修复:*
1.更改Session名称。PHP中Session的默认名称是PHPSESSID,此变量会保存在Cookie中,如果攻击者不分析站点,就不能猜到Session名称,阻挡部分攻击。
2.关闭透明化Session ID。透明化Session ID指当浏览器中的Http请求没有使用Cookie来存放Session ID时,Session ID则使用URL来传递。
3.设置HttpOnly。通过设置Cookie的HttpOnly为true,可以防止客户端脚本访问这个Cookie,从而有效的防止XSS攻击。
4.关闭所有phpinfo类dump request信息的页面。
5.使用User-Agent检测请求的一致性。但有专家警告不要依赖于检查User-Agent的一致性。这是因为服务器群集中的HTTP代理服务器会对User-Agent进行编辑,而本群集中的多个代理服务器在编辑该值时可能会不一致。
## 会话固定漏洞**(中危)**
*介绍:*
会话固定也可以看成是会话劫持的一种类型,原因是会话固定的攻击的主要目的同样是获得目标用户的合法会话,不过会话固定还可以是强迫受害者使用攻击者设定的一个有效会话,以此来获得用户的敏感信息。
*修复:*
1.用户登录时生成新的Session ID。如果攻击者使用的会话标识符不是有效的,那么这种方式将会非常有效。如果不是有效的会话标识符,服务器将会要求用户重新登录。如果攻击者使用的是有效的Session ID,那么还可以通过校验的方式来避免攻击。
2.大部分防止会话劫持的方法对会话固定攻击同样有效。如设置HttpOnly,关闭透明化Session ID,User-Agent验证,Token校验等。
## **DNS 域传送漏洞(中危)**
*介绍:*
DNS区域传送(DNS zone transfer)指的是一台备用服务器使用来自主服务器的数据刷新自己的域(zone)数据库,一般来说,DNS区域传送操作只在网络里真的有备用域名DNS服务器时才有必要用到,但许多DNS服务器却被错误地配置成只要有client发出请求,就会向对方提供一个zone数据库的详细信息。
*修复:*
针对域传送漏洞,建议通过定义ACL(访问控制列表)来限制在域名服务器之间的区域传送,通常可编辑/etc/named.conf中allow-transfer参数。存在漏洞的是ns1.com, 如果其他ns2、ns3、ns4是备用dns服务器,那么应该只允许域传送至其他对应的地址。配置如下: allow-transfer { localhost; ns2的IP; ns3的IP; ns4的IP;};
## **检测到网站被黑痕迹(高危)**
*介绍:*
网站页面已被篡改或已有入侵痕迹。
*修复:*
清除网站木马,全面检测网站漏洞并及时修复。
## **传输层保护不足漏洞(中危)**
*介绍:*
传输层保护不足,会暴露传输的数据,导致数据被窃听,账号被盗等,如果是管理员的账号面临这个问题,那么将会导致整个网站处于数据暴露的状态,将对网站和用户造成严重的甚至无法挽回的损失。
*修复:*
1.对所有敏感的页面使用SSL,非SSL请求的页面应该被重定向到SSL请求的页面;
2.对所有敏感的Cookie,设置“secure”的flag;
3.保证SSL的提供商只支持强大的算法,这样就不能够被轻易破解;
4.确保您的证书是有效的,不过期,不被撤销,并匹配这个网站使用的所有域;
5.后台和其他的连接也应该使用SSL或其他加密技术;
6.即使是开发者的注释也应该很好的被保护,防止信息泄露。
## **服务器启用了 TRACE Method 方法 (中危)**
*介绍:*
恶意攻击者可以通过TRACE Method返回的信息了解到网站前端的一些信息,如缓存服务器等,从而为下一步的攻击提供便利;恶意攻击者可以通过TRACE Method进行XSS攻击;即使网站对关键页面启用了HttpOnly头标记和禁止脚本读取cookie信息,那么通过TRACE Method恶意攻击者还是可以绕过这个限制读取到cookie信息。
*修复:*
禁用TRACE方法。
## **点击劫持漏洞(X-Frame-Options 头缺失)(中危)**
*介绍:*
通过覆盖不可见的框架误导受害者点击,受害者点击的是他所看到的网页,但其实他所点击的是被黑客精心构建的另一个置于原网页上面的透明页面。
*修复:*
设置X-Frame-Options值来防御利用iframe嵌套的点击劫持攻击。
## 启用了不安全的 HTTP 方法(启用了 OPTIONS 方法)(中危)
*介绍:*
开启了不安全的HTTP方法:DELTE/SEARCE/COPY,MOVE/PROPFIND/PROPPATCH/MKCOL/LOCK/UNLOCK/PUT,可能会在Web 服务器上上载、修改或删除Web 页面、脚本和文件。
*修复:*
如果服务器不需要支持WebDAV,请务必禁用它,或禁止不必要的HTTP 方法。
## **Tomcat 版本过低漏洞 (中危)**
*介绍:*
Tomcat由于版本过低存在安全漏洞。
*修复:*
升级Tomcat版本或及时打补丁。
## **Apache Tomcat 示例目录漏洞 (中危)**
*介绍:*
tomcat安装时默认的演示、文档页面,会造成信息泄露和XSS跨站脚本漏洞,攻击者可以创建、销毁或控制session。
*修复:*
删除相关功能演示页面。
## SpringBlade 框架默认 SIGN_KRY 秘钥(CVE-2021-44910)(高危)
*介绍:*
SpringBlade 是一个由商业级项目升级优化而来的SpringCloud分布式微服务架构、SpringBoot单体式微服务架构并存的综合型项目。SpringBlade 框架存在默认SIGN_KEY,攻击者可利用漏洞获取用户账号密码日志等敏感信息。
*修复:*
1、通过防火墙等安全设备设置访问策略,设置白名单访问;
2、如非必要,禁止公网访问该系统;
3、限制目录访问权限
## **SSL/TLS 服务器 Diffie-Hellman 公共密钥过弱漏洞(高危)**
*介绍:*
Diffie-Hellman 密钥交换是一种流行的加密算法,它允许 Internet 协议就共享密钥达成一致并协商安全连接。当服务器SSL/TLS的瞬 时Diffie-Hellman公共密钥小于等于1024位时,可能容易受到被动窃听攻击。
*修复:*
使用具有“安全”素数的2048位或更强的Diffie-Hellman组。可参考:https://weakdh.org/sysadmin.html
## **OpenSSL 远程内存泄露漏洞(心脏滴血漏洞)(高危)**
*介绍:*
OpenSSL是一款开放源码的SSL实现,用来实现网络通信的高强度加密。漏洞与OpenSSL TLS/DTLS传输层安全协议heartbeat扩展组件(RFC6520)相关,因此漏洞又被称为“heartbleed bug”(中文名称:“心血”漏洞)。该漏洞无需任何特权信息或身份验证,就可以获得X.509证书的私钥、用户名与密码、cookies等信息,进一步可直接从服务提供商和用户通讯中窃取聊天工具消息、电子邮件以及重要的商业文档和通信等私密数据。
*修复:*
升级OpenSSL版本到最新的1.0.1g;使用-DOPENSSL_NO_HEARTBEATS参数重新编译低版本的OpenSSL以禁用Heartbleed模块。
## Apache apisix 默认密钥漏洞(CVE-2020-13945)(高危)
*介绍*:
Apache APISIX 是一个动态、实时、高性能的 API 网关,基于 Nginx 网络库和 etcd 实现, 提供负载均衡、动态上游、灰度发布、服务熔断、身份认证、可观测性等丰富的流量管理功能。当使用者开启了Admin API,没有配置相应的IP访问策略,且没有修改配置文件Token的情况下,则攻击者利用Apache APISIX的默认Token即可访问Apache APISIX,从而控制APISIX网关。
*修复*:
(1)修改Apache APISIX配置文件中 conf/config.yaml 的admin_key,禁止使用默认Token;
(2)若非必要,关闭Apache APISIX Admin API功能,或者增加IP访问限制;
(3)升级Apache APISIX 至最新版本。
# 弱口令登录类
## **弱口令(高危)**
*介绍:*
弱口令指的是仅包含简单数字和字母的口令,例如“123456”、“abc”等,因为这样的口令很容易被别人破解,从而使用户的信息资产面临风险。攻击者可以直接利用该漏洞,获取访问权限。
*修复:*
1)不使用空口令或系统缺省的口令,因为这些口令众所周知,为典型的弱口令;
2)口令长度不小于8个字符;
3)口令不应该为连续的某个字符(例如:AAAAAAAA)或重复某些字符的组合(例如:tzf.tzf.);
4)口令应该为以下四类字符的组合,大写字母(A-Z)、小写字母(a-z)、数字(0-9)和特殊字符。每类字符至少包含一个。如果某类字符只包含一个,那么该字符不应为首字符或尾字符;
5)口令中不应包含本人、父母、子女和配偶的姓名和出生日期、纪念日期、登录名、E-mail地址等等与本人有关的信息,以及字典中的单词;
6)口令不应该为用数字或符号代替某些字母的单词;
7)口令应该易记且可以快速输入,防止他人从你身后很容易看到你的输入;
8)至少90天内更换一次口令,防止未被发现的入侵者继续使用该口令。
## FTP 弱口令(高危)
*介绍:*
攻击者可通过弱口令访问FTP服务器,获取服务器数据,从而控制服务器,获取服务器控制权限,进而对内网其他资产进行攻击。
*修复:*
(1)设置FTP权限,或添加白名单访问;
(2)禁用匿名登录。
## 任意用户密码重置漏洞(高危)
*介绍:*
系统在处理重置密码请求时使用本地验证方法,未在服务端处理,造成用户可在本地修改数据包,绕过系统身份验证,达到重置任意账号的目的。
*修复:*
针对任意用户密码重置漏洞,建议在服务器端加强逻辑验证。
## 验证码漏洞(高危)
*介绍:*
验证码可以一次多用,导致可以暴力破解,验证码没有限定次数和时间,导致可以无限制的发送验证码。
*修复:*
设置验证码登录一次,变换一次,防止暴力破解;设置验证码120秒只发送一次。
## 暴力破解漏洞(中危)
*介绍:*
登录入口没有验证码或者验证码可以一次多用,导致可以暴力破解。攻击者可能试图尝试每个可能的字母,数字和符号组合,或使用一些暴力破解工具进行猜测,直到它发现了一个正确的组合,从而进入登录页面做进一步深度非法攻击。
*修复:*
1.增加验证码,使之登录失败一次,验证码变换一次;
2.针对密码猜测,建议控制错误登录次数,以防止暴力破解。同一用户如果5分钟内登录失败6次,禁用此用户登录30分钟。
## 短信轰炸漏洞(中危)
*介绍:*
短信轰炸是由于系统设计缺陷可无限制发送短信验证码给客户端,攻击者可利用该漏洞对任意手机号码进行短信轰炸,对公司造成不良影响和运行安全风险。
*修复:*
建议针对发送短信验证码接口加强权限控制,在服务端限制单位时间内发送短信次数。
## 用户名猜解漏洞(中危)
*介绍:*
通过登录信息可以判断有无此用户,可以对用户名进行猜解。
*修复:*
使用模糊的错误登录提示,如:用户名或密码错误。
## SNMP 默认团体名漏洞(高危)
*介绍:*
由于很多操作系统或者网络设备的SNMP代理服务存在可读默认口令。如果这些默认口令没有修改或者为弱口令,远程攻击者就可以通过SNMP代理获取系统的很多细节信息。如果攻击者得到了可写口令,它甚至可以修改系统文件或者执行系统命令。
*修复:*
针对SNMP信息泄露漏洞,建议修改SNMP缺省口令或者关闭SNMP服务。
# 敏感信息泄漏
## **源码信息泄漏(高危)**
*介绍:*
网站源代码文件泄露指管理员误将网站备份压缩文件或是敏感信息文件存放在某个网站目录下。
攻击者可以利用该漏洞下载网站源代码,并对源代码进行分析获取信息系统的敏感信息(如数据库等),进而可直接攻击、控制服务器。
*修复:*
1、不要在网站目录下存放网站备份文件或包含敏感信息的文件;
2、如需存放该类文件,请将文件名命名为难以破解的字符串,并进行文件加密;
3、使用软件WAF或硬件WAF防护;
4、提升网站管理员安全意识。
## **错误页面信息泄露(应用程序错误信息)(中危)**
*介绍:*
攻击者可以根据错误或警告消息收集服务器信息。
*修复:*
1.关闭web服务器错误提示;
2.关闭运行平台的错误提示;
3.建立错误机制,不要把真实的错误反馈给访问者。捕获后台抛出的异常,制定异常固定跳转页面,如500错误,跳转到相应页面,例如“系统异常请与管理员联系”,403异常,找不到页面等等。
## **目录遍历(高危)**
*介绍:*
攻击者通过不指定url中的具体文件,来查看某个目录下的所有文件和目录结构。
*修复:*
针对目录遍历漏洞,建议通过修改配置文件,去除Web 容器(如Apache)的文件目录索引功能。
## **IIS 短文件名漏洞(中危)**
*介绍:*
Microsoft IIS在实现上存在文件枚举漏洞,攻击者可以利用“~”字符猜解或遍历服务器中的文件名,或对IIS服务器中的.Net Framework进行拒绝服务攻击。
*修复:*
针对IIS短文件名漏洞,建议禁止url中使用“~”或它的Unicode编码,或关闭windows的8.3格式功能。
## robots.txt 文件泄露**(中危)**
*介绍:*
泄露网站敏感信息,包括网站的后台页面或其它隐私页面。
*修复:*
1.robots.txt 文件不应用来保护或隐藏信息;
2.应该将敏感的文件和目录移到另一个隔离的子目录,以便将这个目录排除在 Web Robot 搜索之外。如下列示例所示,将文件移到“folder”之类的非特定目录名称是比较好的解决方案: New directory structure: /folder/passwords.txt /folder/sensitive_folder/
New robots.txt: User-agent: * Disallow: /folder/ ;
3.如果您无法更改目录结构,且必须将特定目录排除于 Web Robot 之外,在 robots.txt 文件中,请只用局部名称。虽然这不是最好的解决方案,但至少它能加大完整目录名称的猜测难度。例如,如果要排除“sensitive_folder”和 “passwords.txt”,请使用下列名称(假设 Web 根目录中没有起始于相同字符的文件或目录): robots.txt: User-agent: * Disallow: /se Disallow: /pa。
## PHP 探针信息泄露**(中危)**
*介绍:*
PHP探针文件会导致网站敏感信息泄露
*修复:*
删除默认安装PHP探针文件。
## PHPINFO 页面泄露**(中危)**
*介绍:*
泄露网站服务器敏感信息,包括网站物理路径、PHP版本、服务器信息及环境变量等。
*修复:*
1.通过修改服务器环境内php.ini文件,将“expose_php = On”修改成“expose_php = Off”然后重启php即可;
2.如果确实需要该测试信息,在测试时使用,测试完毕后将该文件删除掉;
3.若无需要可以将一些php的危险函数禁用,打开/etc/php.ini文件,查找到 disable_functions,添加需禁用的以下函数名:phpinfo,eval,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,fsockopen。
## 未加密的登录请求**(低危)**
*介绍:*
检测中发现登录请求(例如:用户名、密码、电子邮件地址、社会安全号码等)被发送到服务器的过程中并未采用通讯加密协议或加密。恶意人员可通过数据截包实现网站管理员用户名、密码信息的截获。
*修复:*
注册或登录时,客户发送请求敏感信息进行加密,例如密码、电话、邮件等敏感信息进行加密传输。
## **致远 OA A6 员工敏感信息泄露(中危)**
*介绍:*
seeyon OA A6版本存在敏感信息泄露漏洞,攻击者可构造payload,获取敏感信息。
*修复:*
限制用户访问权限
## **Dedecms-cve-2018-6910 信息泄露漏洞(中危)**
*介绍:*
DesdevDedeCMS(织梦内容管理系统)是中国卓卓网络(Desdev)科技有限公司的一套开源的集内容发布、编辑、管理检索等于一体的PHP网站内容管理系统(CMS)。DesdevDedeCMS版本中存在信息泄露漏洞。远程攻击者可通过对include/downmix.inc.php或inc/inc_archives_functions.php文件发送接请求利用该漏洞获取完整路径。
*修复:*
修改应用程序源代码,以避免信息泄漏。
## Solr admin 信息泄露(高危)
*介绍:*
网站存在Apache Solr 敏感信息泄露漏洞
*修复:*
1、修改网站默认管理界面路径;
2、对敏感路径设置访问权限只允许白名单访问;
3、禁用没有必要敏感目录。
## SSL/TLS RC4 信息泄露漏洞 CVE-2013-2566(高危)
*介绍:*
安全套接层(Secure Sockets Layer,SSL),一种安全协议,是网景公司(Netscape)在推出Web浏览器首版的同时提出的,目的是 为网络通信提供安全及数据完整性。SSL在传输层对网络连接进行加密。传输层安全(Transport Layer Security),IETF对SSL协议标 准化(RFC 2246)后的产物,与SSL 3.0差异很小。SSL/TLS内使用的RC4算法存在单字节偏差安全漏洞,可允许远程攻击者通过分 析统计使用大量相同明文的大量会话,利用此漏洞恢复纯文本信息。
*修复:*
1、禁止apache服务器使用RC4加密算法;
2、关于lighttpd加密算法,在配置文件lighttpd.conf中禁用RC4算法;
3、windows系统建议参考官网链接修复:
https://support.microsoft.com/en-us/help/2868725/microsoft-security-advisory-update-for-disabling-rc4
## ThinkPHP 信息泄漏(中危)
*介绍*:
ThinkPHP的默认页面存在信息泄漏问题,允许攻击者从 index.php 访问所有系统环境参数。
*修复*:
1、严格控制访问参数,修改因客户端参数请求报错,泄漏系统参数信息;
2、升级thinkPHP版本。
## LARAVEL 敏感信息泄漏(高危)
*介绍*:
在 laravel 框架的根目录下存在配置文件,该文件存储了 debug 的配置、mysql账号密码、邮箱账号密码、redis 密码等信息。如果访问控制不当会导致文件泄露敏感信息。
*修复*:
关闭 laravel 配置文件中的调试功能,在 .env 文件中找到 APP_DEBUG=true,将 true 改为 false。
# 未授权访问类
## 未授权访问(高危)
*介绍*:
后台页面或者其他用户页面没有做session认证,导致可以无需登录,直接访问页面。
*修复*:
对未授权访问页面做session认证,严格审核后台功能页面的访问权限,若为未登录用户则拒绝访问。
## 越权漏洞(高危)
*介绍*:
水平越权:攻击者能够执行与自己同级别权限用户的操作 垂直越权:攻击者能够执行高级别权限用户的操作,比如管理员的相关操作。
*修复*:
1.设计严格的权限控制系统,对于每个请求和URL都要进行校验和权限确认,防止非法请求被执行;
2.默认情况下,应该拒绝执行所有访问权限,也就是说缺省不给用户任何权限,防止攻击者利用缺省权限执行攻击等;
3.对于每个功能的访问,都要有明确的角色授权,防止黑客利用不完善的访问控制缺陷造成不必要的损失;
或者是实现Web访问的IP白名单列表,或者是只允许属于管理员范围权利的指定IP访问等等。
## Memcached 未授权访问漏洞(高危)
*介绍*:
由于memcached安全设计缺陷,客户端连接memcached服务器后无需认证就可读取、修改服务器缓存内容。
*修复*:
1.配置memcached监听本地回环地址127.0.0.1;
2.当memcached配置为监听内网IP或公网IP时,使用主机防火墙(iptalbes、firewalld等)和网络防火墙对memcached服务端口进行过滤。
## Rsync 未授权访问漏洞(高危)
*介绍*:
rsync是类unix系统下的数据镜像备份工具,如果配置不当,可导致攻击者匿名访问rsync程序,进一步进行增删改等操作。
*修复*:
建议两种方式防御,一是限定访问的IP,另一个是不允许匿名访问,添加用户口令。
## Cisco vpn 未授权访问(高危)
*介绍*:
Cisco Adaptive Security Appliance (ASA) Software在Clientless SSL VPN入口自定义框架在实现上存在安全漏洞,未经身份验证的远程攻击者可利用此漏洞修改Clientless SSL VPN入口内容,导致窃取凭证、跨站脚本及其他攻击。此漏洞源于没有正确实现Clientless SSL VPN入口自定义框架内的身份验证检查。
*修复*:
建议升级思科最新发布的补丁:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
## Mongodb 数据库未授权访问漏洞(高危)
*介绍*:
Mongodb在启动的时候未设置 –auth参数,造成恶意攻击者可使用默认空口令登陆到数据服务器。
*修复*:
建议增加数据库用户校验或限制设备登录IP地址,限制未授权访问。
## Redis 数据库未授权访问漏洞(高危)
*介绍*:
Redis 默认情况下会绑定在 0.0.0.0:6379,这样将会将 Redis 服务暴露到公网上,如果在没有开启认证的情况下,可以导致任意用户在可以访问目标服务器的情况下未授权访问 Redis 以及读取 Redis 的数据。攻击者在未授权访问 Redis 的情况下可以利用 Redis的相关方法,可以成功在 Redis 服务器上写入公钥,进而可以使用对应私钥直接登录目标服务器。
*修复*:
1.配置bind选项,限定可以连接Redis服务器的IP,修改 Redis 的默认端口6379;
2.配置认证,也就是AUTH,设置密码,密码会以明文方式保存在Redis配置文件中;
3.配置rename-command 配置项 “RENAME_CONFIG”,这样即使存在未授权访问,也能够给攻击者使用config 指令加大难度;
4.好消息是Redis作者表示将会开发”real user”,区分普通用户和admin权限,普通用户将会被禁止运行某些命令,如config等。
## .htaccess 文件未授权访问(高危)
*介绍:*
攻击者可未授权访问.htaccess文件,泄露网站敏感信息。
*修复:*
禁止.htaccess文件被查看。
## **Phpmyadmin 未授权访问(高危)**
*介绍:*
发现phpmyadmin路径,且没有密码保护,可直接登录数据库,获得数据库root权限。
*修复:*
设置数据库密码防止未授权访问,修改phpmyadmin默认路径防止被攻击者发现。
## **Druid 未授权访问漏洞(中危)**
*介绍:*
Druid是阿里巴巴数据库出品的,为监控而生的数据库连接池,并且Druid提供的监控功能,监控SQL的执行时间、监控Web URI的请求、Session监控,首先Druid是不存在什么漏洞的。但当开发者配置不当时就可能造成未授权访问。
*修复:*
1、设置StatViewServlet(监控页面)为 false;
2、给druid的web页面设置账户密码,增加访问druid的权限。
## **Springboot 未授权访问(高危)**
*介绍:*
Actuator 是 springboot 提供的用来对应用系统进行自省和监控的功能模块,借助于 Actuator 开发者可以很方便地对应用系统某些监控指标进行查看、统计等。在 Actuator 启用的情况下,如果没有做好相关权限控制,非法用户可通过访问默认的执行器端点(endpoints)来获取应用系统中的监控信息,从而导致信息泄露甚至服务器被接管的事件发生。
*危害:*
访问/trace端点获取基本的 HTTP 请求跟踪信息(时间戳、HTTP 头等),如果存在登录用户的操作请求,可以伪造cookie进行登录,访问/env端点可以获取全部环境属性,由于 actuator 会监控站点 mysql、mangodb 之类的数据库服务,所以通过监控信息还可以获取mysql、mangodb 数据库信息。
endpoints.env.enabled= false
*修复:*
1、配置访问账号密码;
2、禁用访问接口配置endpoints.env.enabled= false。
# 注入类
## **SQL 注入**(高危)
*介绍:*
SQL注入攻击者在HTTP请求中输入含有恶意构造且语法合法的SQL语句,所谓基于时间的盲注,就是根据web页面相应的时间差来判断该页面是否存在SQL注入点。攻击者通过SQL注入可以获取到网站数据库的库名、表名、字段名,从而获取到整个服务器中的数据,对网站用户的数据安全有极大的威胁。攻击者也可以通过获取到的数据,得到后台管理员的密码,然后对网页页面进行恶意篡改。
*修复:*
(1)程序员加强自身技术水平,使用固定开发的标准;
(2)在提交服务端处理之前对数据的合法性进行检查;
(3)封装客户端提交信息;
(4)替换或删除敏感字符、字符串;
(5)错误信息不返回给用户;
(6)对敏感数据进行非常规加密,防止信息外泄;
(7)加强数据库检查(表结构是否出现异常、是否有多余数据等)、日志检查(SQL注入攻击往往会大量访问某一个存在漏洞的网页,日志文件会急剧增加,通过查看日志文件的大小以及日志文件中的内容。);
(8)不用字串连接建立SQL查询,而使用SQL变量,因为变量不是可以执行的脚本;
(9)建议部署使用SQL注入防范系统如数据库防火墙、WAF等网络安全设备。
## CRLF 注入漏洞(高危)
*介绍:*
CRLF是”回车 + 换行”(\r\n)的简称。在HTTP协议中,HTTP Header与HTTP Body是用两个CRLF分隔的,浏览器就是根据这两个CRLF来取出HTTP 内容并显示出来。所以,一旦我们能够控制HTTP 消息头中的字符,注入一些恶意的换行,这样我们就能注入一些会话Cookie或者HTML代码,所以CRLF Injection又叫HTTP Response Splitting,简称HRS。HRS是比XSS危害更大的安全问题。
*修复:*
针对CRLF注入漏洞,建议过滤\r 、\n等特殊字符,避免输入的数据污染到其他HTTP头。
## 框架注入漏洞(高危)
*介绍:*
攻击者有可能注入含有恶意内容的 frame 或 iframe 标签。如果用户不够谨慎,就有可能浏览该标签所对应的页面,但意识不到自己会离开原始站点而进入恶意的站点。之后,攻击者便可以诱导用户再次登录,然后获取其登录凭证。
*修复:*
建议过滤以下所有字符:| & ; $ % @ ' " \' \" <> () + CR LF , \。
# 跨站脚本类
## XSS 跨站脚本漏洞(高危)
*介绍:*
跨站脚本攻击是通过在网页中加入恶意代码,当访问者浏览网页时恶意代码会被执行,攻击者可利用该漏洞窃取或操纵客户会话和 cookie,用来模仿合法用户,从而使攻击者获得管理员权限,控制整个网站。
*修复:*
1.在cookie中设置了HttpOnly属性,那么通过JavaScript脚本将无法读取到cookie信息,这样能一定程度上防止XSS攻击;
2.假定所有输入都是可疑的,必须对所有输入中的script、iframe等字样进行严格的检查。这里的输入不仅仅是用户可以直接交互的输入接口,也包括HTTP请求中的cookie中的变量,HTTP请求头部中的变量等;
3.不仅验证数据的类型,还要验证其格式、长度、范围和内容;
4.过滤“<” 、“>” 将用户输入放入引号间,基本实现数据与代码隔离;过滤双引号防止用户跨越许可的标记,添加自定义标记;过滤TAB和空格,防止关键字被拆分;过滤script关键字;过滤&#,防止HTML属性绕过检查。在客户端和服务器端同时做数据的验证与过滤;
5.对输出的数据也要检查,数据库里的值有可能会在一个大网站的多处都有输出,即使在输入做了编码等操作,在各处的输出点时也要进行安全检查。
## JQuery 版本过低(JQuery低版本存在跨站)(中危)
*介绍:*
jQuery 1.6.3之前版本中存在跨站脚本漏洞。当使用location.hash选择元素时,通过特制的标签,远程攻击者利用该漏洞注入任意web脚本或HTML。
*修复:*
升级jQuery版本。
## Unicode 转换漏洞(高危)
*介绍:*
在Unicode在转换时,由于超长字节序列和错误格式引起子序列的安全问题。通过特殊的编码格式绕过程序对恶意字符的检测,可以用在SQL注入、XSS等。
*修复:*
1.升级Unicode版本至官方最新稳定版本http://www.unicode.org;
2.Unicode转化UTF-8编码后,对转换后进行安全检测,对特殊字符过滤或进行安全编码后输出。
# 文件上传、文件包含、文件读取、SSRF类
## 文件上传漏洞(高危)
*介绍:*
验证上传文件的程序没有对上传文件作任何过滤,导致可以上传任意文件到服务器,甚至是病毒文件和木马文件。
修复:
对于上传的附件,验证程序要做严格验证,使用服务器端校验,而不能仅用前端javascript验证。
1.建议严格限制上传文件类型和上传文件名及后缀;
2.检查文件头和文件内容,对上传文件目录的运行权限进行严格限制;
3.及时排查、删除服务器木马文件。
## WebDav 文件上传/信息泄露漏洞(高危)
*介绍:*
WebDAV是一种基于 HTTP 1.1协议的通信协议.它扩展了HTTP 1.1,在GET、POST、HEAD等几个HTTP标准方法以外添加了一些新的方法。使应用程序可直接对Web Server文件进行读写,并支持写文件锁定(Locking)及解锁(Unlock),还可以支持文件的版本控制。远程攻击者可能利用此漏洞非授权读写文件。
修复:
通常情况下网站不需要支持额外的方法,建议禁用WebDav服务,关闭PUT、MOVE、COPY等方法。
## 本地文件包含漏洞(高危)
*介绍:*
由于程序员未对用户可控的变量进行输入检查,导致用户可以控制被包含的文件,成功利用时可以使web server将特定文件当成脚本执行,从而导致攻击者可获取一定的服务器权限;或直接读取系统文件,造成服务器敏感信息泄露。
修复:
针对文件包含漏洞,建议采用“白名单”的方式,限制允许包含的文件范围。
## 远程文件包含漏洞(高危)
*介绍:*
服务器通过语言的特性(函数)去包含任意文件时,由于要包含的这个文件来源过滤不严格,从而可以去包含一个恶意文件,攻击者就可以远程构造一个特定的恶意文件达到攻击目的。
修复:
如果一定要动态包含文件,建议最好明确规定包含哪些文件,进行白名单比对。同时,也可以在包含函数中加入目录限制。
## **任意文件读取漏洞(高危)**
*介绍:*
程序过滤不严,导致可以通过../../../等方式跳转到其他目录读取任意文件。
*修复:*
1.过滤”../”的特殊字符
2.限制读取文件的目录,不允许跨目录读取
## **任意文件下载漏洞(高危)**
*介绍:*
在正常下载链接的文件参数前加 ../../../../ 来跳出目录限制,下载系统文件等任意文件。该漏洞是由于后台代码未对下载路径做安全限制引起的。
*修复:*
针对任意文件下载漏洞,建议严格限制文件下载路径。
## SSRF(服务端请求伪造)(高危)
*介绍:*
很多web应用都提供了从其他的服务器上获取数据的功能。使用用户指定的URL,web应用可以获取图片,下载文件,读取文件内容等。这个功能如果被恶意使用,可以利用存在缺陷的web应用作为代理攻击远程和本地的服务器,探测内网信息甚至内网入侵。
修复:
SSRF形成的原因大都是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。比如从指定URL地址获取网页文本内容,加载指定地址的图片,下载等等。建议对url参数值做严格的限制。
## **ShopXO 任意文件读取(高危)**
*介绍:*
ShopXO是一套开源的企业级开源电子商务系统;ShopXO存在任意文件读取漏洞,攻击者可利用该漏洞获取敏感信息。
*修复:*
升级系统版本
## Resin 任意文件读取漏洞(高危)
*介绍:*
安装某些版本Resin服务器的网站存在可读取任意文件的漏洞,攻击者利用该漏洞可以读取网站服务器的任意文件内容。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
# 命令执行、代码执行类
## Struts2 dev-mod 命令执行漏洞(高危)
*介绍:*
网站封装采用Apache Struts xwork作为网站应用框架,且devMode为打开状态。当这个设置开启时,Struts2会提供更多的日志和调试信息来帮助开发者更快速的开发。
然而在开发者模式下,将允许OGNL语句注入,攻击者可能利用此漏洞进行远程代码执行。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-005 命令执行漏洞(高危)
*介绍:*
OGNL除其他功能外,还提供了广泛的表达评估功能。该漏洞允许恶意用户绕过构建在ParametersInterceptor中的“#” - 使用保护,从而能够利用此漏洞进行远程代码执行。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-009 命令执行漏洞(高危)
*介绍:*
OGNL除其他功能外,还提供广泛的表达评估功能。该漏洞允许恶意用户绕过构建到ParametersInterceptor中的所有保护(正则表达式模式,拒绝方法调用),从而能够在任何公开的字符串变量中注入恶意表达式以进一步评估。 S2-003和S2-005中已经解决了类似的行为,但事实证明,基于白名单可接受的参数名称所产生的修复只是部分地关闭了漏洞。 正则表达式在ParametersInterceptor中匹配top ['foo'](0)作为一个有效的表达式,OGNL把它视为(top ['foo'])(0)并且将'foo'动作参数的值作为OGNL表达式来计算。这使得恶意用户可以将任意的OGNL语句放入任何由操作暴露的字符串变量中,并将其作为OGNL表达式进行求值,并且由于OGNL语句在HTTP参数值中,攻击者可以使用黑名单字符(例如#)禁用方法执行并执行任意方法绕过了ParametersInterceptor和OGNL库的保护。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-016 命令执行漏洞(高危)
*介绍:*
在struts2中,DefaultActionMapper类支持以"action:"、"redirect:"、"redirectAction:"作为导航或是重定向前缀,但是这些前缀后面同时可以跟OGNL表达式,由于struts2没有对这些前缀做过滤,导致利用OGNL表达式调用java静态方法执行任意系统命令。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-017 URL 跳转漏洞(高危)
*介绍:*
在2.3.15.1之前的Struts 2中,“redirect:”或“redirectAction:”之后的信息可以很容易地被操纵,以重定向到任意位置。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-019 命令执行漏洞(高危)
*介绍:*
Struts2的操作映射机制支持特殊参数前缀操作,这可能会在表格底部附加引导信息,在映射 "action:" 前缀操作时存在安全绕过漏洞,可被攻击者利用绕过某些安全限制访问受限制功能。Struts2的Dynamic Method Invocation机制是默认开启的(仅提醒用户如果可能的情况下关闭此机制)这样就存在远程代码执行漏洞,攻击者可利用此漏洞在受影响应用上下文中执行任意代码。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-032 命令执行漏洞(高危)
*介绍:*
动态方法调用启用时,可能会传递一个恶意表达式,用于在服务器端执行任意代码。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-037 命令执行漏洞(高危)
*介绍:*
Struts2使用Rest插件之后,ActionMapping通过org.apache.struts2.rest.RestActionMapper.java类的publicActionMappinggetMapping(HttpServl etRequest request,ConfigurationManagerconfigManager)的方法获取的。其中,当请求url是如下的格式:actionName/id/methodName会获取methodName 作为ActionMapping的method属性。但method属性未做任何处理,同S2-032漏洞执行流程一致,都是将ActionMapping的属性设置到ActionProxy中,从ActionProxy中获取method属性带入到ognl表达式中执行,通过OGNL表达式静态调用获取ognl.OgnlContext的DEFAULT_MEMBER_ACCESS属性并覆盖_memberAccess的方式进行绕过,进而可在受控制的服务器端执行任意代码。即攻击者在部署了REST插件的Struts 2服务器上均可利用该漏洞远程执行任意命令
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-045 命令执行漏洞(高危)
*介绍:*
使用 Jakarta 文件上传插件的 Struts,攻击者可在上传文件时通过修改HTTP请求头中的 Content-Type 值来触发该漏洞,进而执行系统命令。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-046 命令执行漏洞(高危)
*介绍:*
使用 Jakarta 文件上传插件的 Struts,攻击者可在上传文件的大小(由 Content-Length 头指定)大于 Struts2 允许的最大大小(2GB),文件名内容构造恶意的 OGNL 来触发该漏洞,进而执行系统命令。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## S2-052 命令执行漏洞(高危)
*介绍:*
Apache Struts2 Freemarker标签如果被错误的配置使用,将会导致RCE远程代码执行漏洞。
*修复:*
1.升级到Apache Struts版本2.5.12或2.3.34;
2.使用只读属性来初始化value属性(仅限getter属性);
3.Freemarker标签内容不要通过Request方式获取 。
## S2-053 命令执行漏洞(高危)
*介绍:*
Struts2 REST 插件使用带有 XStream 程序的 XStream Handler 进行未经任何代码过滤的反序列化操作,这可能在反序列化XML payloads时导致远程代码执行。任意攻击者都可以构造恶意的XML内容提升权限。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## JDWP 远程命令执行漏洞(高危)
*介绍:*
JDWP 是 Java Debug Wire Protocol 的缩写,它定义了调试器(debugger)和被调试的 Java 虚拟机(target vm)之间的通信协议。当对外开启该协议的Java调试模式时,存在远程命令执行漏洞。允许攻击者远程执行代码,获得服务器权限。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## ElasticSearch 命令执行漏洞(高危)
*介绍:*
该漏洞存在于一个名为ElasticSearch.yml的文件,在这个文件中存在一个配置项“script.disable_dynamic”,默认为“false”。此默认配置允许服务器动态执行用户发送的任意代码。黑客只需要通过一个URL地址向服务器传送一段代码,就可以创建和执行他们自己的程序。一旦黑客获得通过,他们在服务器上的操作将不受任何限制,包括窃取网站中的用户账号及密码等敏感信息,或者留下一个后门程序。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## GNU Bash 远程命令执行(高危)
*介绍:*
GNU Bash 4.3及之前版本在评估某些构造的环境变量时存在安全漏洞,向环境变量值内的函数定义后添加多余的字符串会触发此漏洞,攻击者可利用此漏洞改变或绕过环境限制,以执行shell命令。
*修复:*
1.升级最新版本;
2.系统如果不再使用 ,请将其下线或用防火墙屏蔽。
## Weblogic Java 反序列化远程命令执行漏洞(高危)
*介绍:*
Weblogic存在Java反序列化漏洞,攻击者可以远程执行系统命令,获得服务器权限。
*修复:*
及时升级官方补丁。
## **shiro 反序列化命令执行漏洞(高危)**
*介绍*
利用工具:shiro反序列化漏洞综合利用工具
https://github.com/j1anFen/shiro_attack
shiro-550(shiro小于1.2.5)主要是由shiro的rememberMe内容反序列化导致的命令执行漏洞,造成的原因是AES密钥被硬编码在shiro源码中,这就导致了可以通过在coo0kie的rememberMe字段插入payload实现任意代码执行。
*修复:*
升级shiro版本。
## **JBoss 反序列化命令执行漏洞(高危)**
*介绍*
根源在CommonsCollections组件中对于集合的操作存在可以进行反射调用的方法,并且该方法在相关对象反序列化时并未进行任何校验,导致远程代码执行。利用漏洞,允许攻击者远程执行系统命令,获得服务器权限,导致服务器运行安全风险。
*修复:*
1.针对JBoss Java反序列化漏洞,建议更新jboss版本到最新版(http://www.jboss.org/)或 更新官方补丁;
2.针对数据库帐号密码进行修改,要求密码长度8位数以上,密码复杂程度必须包含数字、大小写字母及特殊字符;
3.对服务器进行全面安全检查,及时排查、清除webshell等后门文件;及时修改数据库密码等。
## **JBoss JMXInvokerServlet 远程命令执行漏洞(高危)**
*介绍*
Jboss在默认安装的时候,会安装http-invoker.sar站点,当请求invoker/JMXInvokerServlet或invoker/EJBInvokerServlet会调用org.jboss.invocation.http.servlet.InvokerServlet.class处理请求。该类对GET请求和POST请求,统一调用processRequest函数处理,因此,攻击者需要自己构造一个jboss的类,并且将其序列化,然后将序列化的数据直接提交到存在漏洞站点的invoker/JMXInvokerServlet页面,恶意代码将会被执行。
*修复:*
建议删除或禁止访问/invoker/JMXInvokerServlet文件。
## **ThinkPHP 命令执行(高危)**
*介绍:*
由于ThinkPHP5框架对控制器名没有进行足够的安全检测,导致在没有开启强制路由的情况下,黑客构造特定的请求,可直接GetWebShell。
*修复:*
升级thinkPHP至最新版本。
## **Apache ActiveMQ 远程代码执行漏洞 (CVE-2016-3088)(高危)**
*介绍*
Apache ActiveMQ Fileserver 存在多个安全漏洞,可使远程攻击者用恶意代码替代Web应用,在受影响系统上执行远程代码(CVE-2016-3088)。
*修复:*
1.ActiveMQ Fileserver 的功能在 5.14.0 及其以后的版本中已被移除。建议用户升级至 5.14.0 及其以后版本;
2.通过移除 conf\jetty.xml 的以下配置来禁用 ActiveMQ Fileserver 功能。
## JBoss Seam 参数化EL表达式远程代码执行漏洞(高危)
*介绍:*
JBoss Seam是一个Java EE5框架,把JSF与EJB3.0组件合并在一起,从而为开发基于Web的企业应用程序提供一个最新的模式。 JBoss Seam处理某些参数化JBoss EL表达式的方式存在输入过滤漏洞( CVE-2010-1871)。如果远程攻击者能够诱骗通过认证的JBoss Seam用户访问特制的网页,就可能导致执行任意代码
*修复:*
升级至4.3.0 EL4或以上更高的、确认已修复此漏洞的版本。参考链接:https://bugzilla.redhat.com/show_bug.cgi?id=615956。
## HPPT.sys 远程代码执行漏洞(MS15-034)(高危)
*介绍*:
远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞,攻击者只需要发送恶意的http请求数据包,就可能远程读取IIS服务器的内存数据,或使服务器系统蓝屏崩溃。
*修复*:
缓解方案:https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-034
升级补丁:https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2015/ms15-034?redirectedfrom=MSDN
## Webview 远程代码执行漏洞(高危)
*介绍*:
WebView组件中的addJavascriptInterface方法用于实现本地Java和JavaScript的交互,但是该函数并没有对方法调用进行限制,导致攻击者可以调用任何JAVA类,最终导致JavaScript代码对设备进行任意攻击
*修复*:
建议不使用addJavascriptInterface接口,对于Android API Level为17或者以上的Android系统,Google规定允许被调用的函数,必须在Java的远程方法上面声明一个@JavascriptInterface注解;在使用js2java的bridge时候,需要对每个传入的参数进行验证,避免恶意代码的攻击。
# 拒绝服务类
## slowhttp 拒绝服务攻击(中危)
*介绍*:
如果远程攻击者使用发包工具向Apache服务器发送了不完整的HTTP请 求,服务器会打开连接等待接受完整的头,但如果发包工具不再继续发送完整请求而是发送无效头的话,就会一直保持打开的连接。这种攻击所造成的影响很严重, 因为攻击者不需要发送很大的通讯就可以耗尽服务器上的可用连接。也就是说,即使低带宽的用户也可以攻击大流量的服务器。
*修复*:
1.升级到最新版的apache;
2.在httpd.conf中添加RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500;
3.直接在 iptables 中限制每个 IP 的连接数可以解决以上绝大部分问题,除非攻击者拥有众多肉鸡,否则单 IP 的攻击将失去效果。 iptables -A INPUT -p tcp --syn --dport 8889 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset 。
uncategorized
Host header attack (high risk)
introduce:
For developers, it is a very unwise choice to extract the Host parameter in the request header and write it to the current page. Because if this is the case, the attacker can control the server to return the URL in the page by modifying the Host field in the HTTP request header.
repair:
Reading the Host field and writing to the page is not allowed. The SERVER_NAME variable that comes with the server script should be used if needed.
Domain name access restrictions are not strict (high risk)
introduce:
The target has a loophole of lax domain name access restrictions. The Hostname field of the Http request does not have strict domain name restrictions, which can bypass some protection measures.
repair:
Configure the WEB server to restrict access to the server only in the form of a domain name.
URL redirection (medium risk)
introduce:
URL redirection (URL redirection) vulnerability, also known as jump vulnerability, refers to the fact that a web application accepts user-controllable input as a link to an external site, and then uses the link in the redirection. This security hole provides great convenience for phishing attacks.
repair:
1. Restrictions on referer If you determine the source of passing URL parameters, you can implement security restrictions in this way to ensure the validity of the URL and prevent malicious users from generating jump links themselves. 2. Add validity verification Token to ensure that all generated links are from trusted domains. By adding Token that users cannot control in the generated links to verify the generated links, users can avoid generating their own malicious links and thereby Be exploited. 3.URL whitelist, redirect only in the whitelist
Session Hijacking Vulnerability (Medium Severity)
introduce:
An attack method in which an attacker obtains a user's Session ID through brute force cracking, prediction, or theft (network sniffing/XSS attack), and then uses the Session ID to log in to the target account.
repair:
1. Change the Session name. The default name of the Session in PHP is PHPSESSID, and this variable will be saved in the cookie. If the attacker does not analyze the site, he cannot guess the Session name and block some attacks. 2. Turn off the transparent Session ID. Transparent Session ID means that when the Http request in the browser does not use cookies to store the Session ID, the Session ID is passed using the URL. 3. Set HttpOnly. By setting the HttpOnly of the cookie to true, the client script can be prevented from accessing the cookie, thereby effectively preventing XSS attacks. 4. Close all phpinfo dump request information pages. 5. Use User-Agent to detect the consistency of the request. But some experts warn against relying on checking User-Agent consistency. This is because the HTTP proxy server in the server cluster will edit the User-Agent, and multiple proxy servers in the cluster may be inconsistent when editing the value.
Session Fixation Vulnerability (Medium Severity)
introduce:
Session fixation can also be regarded as a type of session hijacking, because the main purpose of session fixation attacks is also to obtain the legitimate session of the target user, but session fixation can also force the victim to use a valid session set by the attacker , so as to obtain the user's sensitive information.
repair:
1. A new Session ID is generated when the user logs in. This can be very effective if the session identifier used by the attacker is not valid. If it is not a valid session identifier, the server will ask the user to log in again. If the attacker is using a valid Session ID, then the attack can also be avoided by means of verification. 2. Most of the methods to prevent session hijacking are also effective against session fixation attacks. Such as setting HttpOnly, turning off transparent Session ID, User-Agent verification, Token verification, etc.
DNS Domain Transfer Vulnerability (Medium Severity)
introduce:
DNS zone transfer (DNS zone transfer) refers to a standby server using data from the primary server to refresh its domain (zone) database. Generally speaking, DNS zone transfer operations are only performed when there are really standby domain name DNS servers in the network. It is necessary to use it, but many DNS servers are incorrectly configured to provide details of a zone database to the other party as long as a client makes a request.
repair:
For domain transfer vulnerabilities, it is recommended to restrict the domain transfer between domain name servers by defining ACL (Access Control List), usually by editing the allow-transfer parameter in /etc/named.conf. The loophole is ns1.com, if other ns2, ns3, ns4 are backup dns servers, then the domain should only be allowed to transfer to other corresponding addresses. The configuration is as follows: allow-transfer { localhost; IP of ns2; IP of ns3; IP of ns4;};
Website hacking traces detected (high risk)
introduce:
The website pages have been tampered with or have traces of intrusion.
repair:
Clear website Trojans, comprehensively detect website vulnerabilities and repair them in time.
Insufficient Transport Layer Protection Vulnerability (Medium Severity)
introduce:
Insufficient protection of the transport layer will expose the transmitted data, resulting in data eavesdropping, account theft, etc. If the administrator’s account faces this problem, the entire website will be in a state of data exposure, which will cause serious damage to the website and users. even irreparable losses.
repair:
1. Use SSL for all sensitive pages, non-SSL requested pages should be redirected to SSL requested pages;
2. For all sensitive cookies, set the "secure" flag;
3. Ensure that SSL providers only support powerful algorithms so that they cannot be easily cracked;
4. Make sure your certificate is valid, not expired, not revoked, and matches all domains used by this website;
5. Background and other connections should also use SSL or other encryption technologies;
6. Even the developer's comments should be well protected to prevent information leakage.
The server has enabled the TRACE Method method (medium risk)
introduce:
Malicious attackers can use the information returned by the TRACE Method to learn some information about the front end of the website, such as the cache server, to facilitate the next attack; malicious attackers can use the TRACE Method to carry out XSS attacks; even if the website enables key pages HttpOnly header mark and prohibit scripts from reading cookie information, then malicious attackers can still bypass this restriction to read cookie information through TRACE Method.
repair:
Disable the TRACE method.
Clickjacking Vulnerability (Missing X-Frame-Options Header) (Medium Severity)
introduce:
By covering the invisible frame to mislead the victim to click, what the victim clicked was the webpage he saw, but what he actually clicked was another transparent page that was carefully constructed by hackers and placed on top of the original webpage.
repair:
Set the X-Frame-Options value to prevent clickjacking attacks using iframe nesting.
Unsafe HTTP method enabled (OPTIONS method enabled) (medium risk)
introduce:
Unsafe HTTP methods are enabled: DELTE/SEARCE/COPY, MOVE/PROPFIND/PROPPATCH/MKCOL/LOCK/UNLOCK/PUT, which may upload, modify or delete Web pages, scripts and files on the Web server.
repair:
If your server does not need to support WebDAV, be sure to disable it, or disallow unnecessary HTTP methods.
Tomcat version too low vulnerability (medium risk)
introduce:
Tomcat has security vulnerabilities due to its low version.
repair:
Upgrade the Tomcat version or patch it in time.
Apache Tomcat Examples Directory Vulnerability (Medium Severity)
introduce:
The default demo and document pages during tomcat installation will cause information leakage and XSS cross-site scripting vulnerabilities, and attackers can create, destroy or control sessions.
repair:
Delete related function demo page.
SpringBlade framework default SIGN_KRY key (CVE-2021-44910) (high risk)
introduce:
SpringBlade is a comprehensive project in which SpringCloud distributed microservice architecture and SpringBoot monolithic microservice architecture coexist. There is a default SIGN_KEY in the SpringBlade framework, and attackers can exploit the vulnerability to obtain sensitive information such as user account password logs.
repair:
1. Set access policies through security devices such as firewalls, and set whitelist access; 2. If not necessary, prohibit public network access to the system; 3. Restrict directory access rights
SSL/TLS server Diffie-Hellman public key vulnerability (high risk)
introduce:
Diffie-Hellman key exchange is a popular encryption algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. When the instantaneous Diffie-Hellman public key of the server SSL/TLS is less than or equal to 1024 bits, it may be vulnerable to passive eavesdropping attacks.
repair:
Use 2048-bit or stronger Diffie-Hellman groups with "safe" primes. See: Logjam: PFS Deployment Guide
OpenSSL Remote Memory Leak Vulnerability (Heartbleed Vulnerability) (High Severity)
introduce:
OpenSSL is an open source implementation of SSL for high-strength encryption of network communications. The vulnerability is related to the OpenSSL TLS/DTLS transport layer security protocol heartbeat extension (RFC6520), so the vulnerability is also called "heartbleed bug" (Chinese name: "心血" vulnerability). This vulnerability does not require any privileged information or authentication to obtain the private key of the X.509 certificate, user name and password, cookies and other information, and further directly steal chat tool messages, emails, and important information from service providers and user communications. Private data such as business documents and communications.
repair:
Upgrade the OpenSSL version to the latest 1.0.1g; use the -DOPENSSL_NO_HEARTBEATS parameter to recompile the lower version of OpenSSL to disable the Heartbleed module.
Apache apisix default key vulnerability (CVE-2020-13945) (high risk)
Introduction :
Apache APISIX is a dynamic, real-time, high-performance API gateway, implemented based on Nginx network library and etcd, providing load balancing, dynamic upstream, gray scale release, service fuse, identity authentication, observability and other rich traffic management functions. When the user opens the Admin API, does not configure the corresponding IP access policy, and does not modify the configuration file Token, the attacker can use the default Token of Apache APISIX to access Apache APISIX, thereby controlling the APISIX gateway.
fix :
(1) Modify the admin_key of conf/config.yaml in the Apache APISIX configuration file, and prohibit the use of the default Token; (2) If not necessary, turn off the Apache APISIX Admin API function, or increase the IP access restrictions; (3) Upgrade Apache APISIX to the latest version .
Weak password login class
Weak password (high risk)
introduce:
Weak passwords refer to passwords that only contain simple numbers and letters, such as "123456", "abc", etc., because such passwords are easy to be cracked by others, thus putting users' information assets at risk. Attackers can directly exploit this vulnerability to gain access.
repair:
1) Do not use empty passwords or system default passwords, because these passwords are well-known and typical weak passwords; 2) The length of the password should not be less than 8 characters; 3) The password should not be a continuous character (for example: AAAAAAAAA) Or repeat some combination of characters (for example: tzf.tzf.); 4) The password should be a combination of the following four types of characters, uppercase letters (AZ), lowercase letters (az), numbers (0-9) and special characters. Contains at least one of each type of character. If a certain type of character contains only one character, then this character should not be the first or last character; 5) The password should not contain the name, date of birth, anniversary date, login name, E-mail address, etc. of the person, parents, children and spouse 6) The password should not be a word that uses numbers or symbols to replace certain letters; 7) The password should be easy to remember and can be entered quickly to prevent others from easily seeing it from behind you Your input; 8) Change the password once at least within 90 days to prevent undiscovered intruders from continuing to use the password.
FTP weak password (high risk)
introduce:
An attacker can access the FTP server with a weak password to obtain server data, thereby controlling the server, obtaining server control authority, and then attacking other assets on the intranet.
repair:
(1) Set FTP permissions, or add whitelist access; (2) Disable anonymous login.
Arbitrary User Password Reset Vulnerability (High Risk)
introduce:
The system uses a local authentication method when processing the reset password request, which is not processed on the server side, causing the user to modify the data packet locally, bypassing the system authentication, and achieving the purpose of resetting any account.
repair:
For any user password reset vulnerability, it is recommended to strengthen logic verification on the server side.
Captcha Vulnerability (High Risk)
introduce:
The verification code can be used multiple times at one time, resulting in brute force cracking. The verification code has no limited number of times and time, resulting in unlimited sending of verification codes.
repair:
Set the verification code to log in once and change it once to prevent brute force cracking; set the verification code to be sent only once in 120 seconds.
Brute Force Vulnerability (Medium Risk)
introduce:
There is no verification code at the login entry or the verification code can be used multiple times at one time, resulting in brute force cracking. An attacker might try every possible combination of letters, numbers, and symbols, or use some brute-force tools to guess until it finds a correct combination, and thus enter the login page for further illegal attacks.
repair:
1. Increase the verification code, so that the login fails once, and the verification code is changed once; 2. For password guessing, it is recommended to control the number of wrong logins to prevent brute force cracking. If the same user fails to log in 6 times within 5 minutes, the user is disabled from logging in for 30 minutes.
SMS bombing vulnerability (medium risk)
introduce:
SMS bombing is due to system design flaws that can send SMS verification codes to the client without limit. Attackers can use this vulnerability to bomb any mobile phone number, causing adverse effects on the company and operational security risks.
repair:
It is recommended to strengthen permission control on the interface for sending SMS verification codes, and limit the number of SMS sent per unit time on the server side.
Username Guessing Vulnerability (Medium Risk)
introduce:
Through the login information, it can be judged whether there is such a user, and the user name can be guessed.
repair:
Use vague and incorrect login prompts, such as: wrong username or password.
SNMP Default Community Name Vulnerability (High Risk)
introduce:
Because many operating systems or SNMP agent services of network devices have readable default passwords. If these default passwords are not modified or are weak passwords, remote attackers can obtain many details of the system through the SNMP agent. If an attacker gets the writable password, it can even modify system files or execute system commands.
repair:
For SNMP information leakage vulnerabilities, it is recommended to modify the default SNMP password or disable the SNMP service.
Sensitive Information Leakage
Source code information leakage (high risk)
introduce:
Leakage of website source code files means that administrators mistakenly store website backup compressed files or sensitive information files in a certain website directory. Attackers can use this vulnerability to download the source code of the website, and analyze the source code to obtain sensitive information of the information system (such as databases, etc.), and then directly attack and control the server.
repair:
1. Do not store website backup files or files containing sensitive information in the website directory; 2. If you need to store such files, please name the file name as a string that is difficult to crack, and encrypt the file; 3. Use software WAF or Hardware WAF protection; 4. Improve the security awareness of website administrators.
Error Page Information Disclosure (Application Error Message) (Medium Risk)
introduce:
An attacker can gather server information based on error or warning messages.
repair:
1. Close the error prompt of the web server; 2. Close the error prompt of the running platform; 3. Establish an error mechanism, and do not feed back the real error to the visitor. Catch the exception thrown by the background, and formulate a fixed jump page for the exception, such as 500 error, jump to the corresponding page, such as "system exception, please contact the administrator", 403 exception, page not found, etc.
Directory Traversal (High Risk)
introduce:
The attacker can view all files and directory structures in a certain directory by not specifying specific files in the url.
repair:
For the directory traversal vulnerability, it is recommended to modify the configuration file to remove the file directory indexing function of the web container (such as Apache).
IIS Short Filename Vulnerability (Medium Severity)
introduce:
There is a file enumeration vulnerability in the implementation of Microsoft IIS. Attackers can use the "~" character to guess or traverse the file name in the server, or conduct a denial of service attack on .Net Framework in the IIS server.
repair:
For the IIS short file name vulnerability, it is recommended to prohibit the use of "~" or its Unicode encoding in the url, or disable the 8.3 format function of windows.
Robots.txt file disclosure (medium risk)
introduce:
Disclosing sensitive website information, including the background pages or other private pages of the website.
repair:
1. The robots.txt file should not be used to protect or hide information; 2. Sensitive files and directories should be moved to another isolated subdirectory to exclude this directory from Web Robot searches. Moving the files to a non-specific directory name like "folder" is a good solution, as shown in the following example: New directory structure: /folder/passwords.txt /folder/sensitive_folder/ New robots.txt: User-agent : * Disallow: /folder/ ; 3. If you cannot change the directory structure and must exclude specific directories from Web Robot, in the robots.txt file, please use only partial names. While this isn't the best solution, at least it makes guessing the full directory name harder. For example, if you want to exclude "sensitive_folder" and "passwords.txt", use the following names (assuming there are no files or directories starting with the same characters in the web root): robots.txt: User-agent: * Disallow: /se Disallow: /pa.
PHP Probe Information Disclosure (Medium Risk)
introduce:
PHP probe files can lead to disclosure of sensitive website information
repair:
Remove the PHP probe files installed by default.
PHPINFO Page Leakage (Medium Risk)
introduce:
Leak sensitive information of the website server, including the physical path of the website, PHP version, server information and environment variables, etc.
repair:
1. By modifying the php.ini file in the server environment, change "expose_php = On" to "expose_php = Off" and then restart php; 2. If you really need the test information, use it during the test. Delete the file; 3. If there is no need to disable some dangerous functions of php, open the /etc/php.ini file, find disable_functions, and add the following function names to be disabled: phpinfo, eval, passthru, exec, system, chroot , scandir, chgrp, chown, shell_exec, proc_open, proc_get_status, ini_alter, ini_alter, ini_restore, dl, pfsockopen, openlog, syslog, readlink, symlink, popepassthru, stream_socket_server, fsocket, fsockopen.
Unencrypted login request (low risk)
introduce:
During the detection, it was found that the login request (for example: user name, password, email address, social security number, etc.) was sent to the server without communication encryption protocol or encryption. Malicious personnel can intercept the username and password information of the website administrator through data interception packets.
repair:
When registering or logging in, customers send requests for encrypted sensitive information, such as passwords, phone numbers, emails and other sensitive information for encrypted transmission.
Sensitive information leakage of Zhiyuan OA A6 employees (medium risk)
introduce:
The seeyon OA A6 version has a sensitive information disclosure vulnerability, and attackers can construct payloads to obtain sensitive information.
repair:
Restrict user access
Dedecms-cve-2018-6910 information disclosure vulnerability (medium risk)
introduce:
DesdevDedeCMS (Dreamweaving Content Management System) is an open source PHP website content management system (CMS) that integrates content publishing, editing, management and retrieval from China Zhuozhuo Network (Desdev) Technology Co., Ltd. An information disclosure vulnerability exists in the version of DesdevDedeCMS. A remote attacker can exploit this vulnerability to obtain the full path by sending and receiving requests to the include/downmix.inc.php or inc/inc_archives_functions.php files.
repair:
Modify application source code to avoid information leakage.
Solr admin information disclosure (high risk)
introduce:
The website has an Apache Solr sensitive information disclosure vulnerability
repair:
1. Modify the default management interface path of the website; 2. Set access permissions for sensitive paths and only allow whitelist access; 3. Disable unnecessary sensitive directories.
SSL/TLS RC4 information disclosure vulnerability CVE-2013-2566 (high risk)
introduce:
Secure Sockets Layer (Secure Sockets Layer, SSL), a security protocol, was proposed by Netscape when it launched the first version of the Web browser, with the purpose of providing security and data integrity for network communications. SSL encrypts network connections at the transport layer. Transport Layer Security (Transport Layer Security), the product of IETF's standardization of the SSL protocol (RFC 2246), has little difference from SSL 3.0. The RC4 algorithm used in SSL/TLS has a single-byte deviation security vulnerability, which allows remote attackers to recover plain text information by analyzing and counting a large number of sessions that use a large number of the same plaintext.
repair:
1. Prohibit the apache server from using the RC4 encryption algorithm; 2. Regarding the lighttpd encryption algorithm, disable the RC4 algorithm in the configuration file lighttpd.conf; 3. For Windows systems, refer to the official website link for repair: Microsoft security advisory: Update for disabling RC4 - Microsoft Support
ThinkPHP Information Leakage (Medium Risk)
Introduction :
ThinkPHP's default page has an information leakage issue that allows an attacker to access all system environment parameters from index.php.
fix :
1. Strictly control access parameters, modify error reporting due to client parameter requests, and leak system parameter information;
2. Upgrade thinkPHP version.
LARAVEL Sensitive Information Leakage (High Risk)
Introduction :
There is a configuration file in the root directory of the laravel framework, which stores debug configuration, mysql account password, email account password, redis password and other information. Improper access control can lead to files leaking sensitive information.
fix :
Turn off the debugging function in the laravel configuration file, find APP_DEBUG=true in the .env file, and change true to false.
unauthorized access class
Unauthorized access (high risk)
Introduction :
The background page or other user pages do not have session authentication, so you can directly access the page without logging in.
fix :
Do session authentication for unauthorized access pages, strictly review the access rights of background function pages, and deny access to users who are not logged in.
Privilege Escalation Vulnerability (High Risk)
Introduction :
Horizontal escalation: The attacker can perform operations of users with the same level of authority as himself. Vertical escalation: The attacker can perform operations of high-level authority users, such as related operations of administrators.
fix :
1. Design a strict permission control system, and check and confirm permission for each request and URL to prevent illegal requests from being executed; 2. By default, all access permissions should be denied, that is to say, the default is not given Any authority of the user to prevent attackers from using the default authority to perform attacks, etc.; 3. For access to each function, there must be a clear role authorization to prevent unnecessary losses caused by hackers using imperfect access control defects; or to implement IP whitelist list for web access, or only allow specified IP access that belongs to the scope of rights of the administrator, etc.
Memcached Unauthorized Access Vulnerability (High Risk)
Introduction :
Due to the security design defect of memcached, the client can read and modify the server cache content without authentication after connecting to the memcached server.
fix :
1. Configure memcached to listen to the local loopback address 127.0.0.1; 2. When memcached is configured to listen to internal IP or public IP, use the host firewall (iptalbes, firewalld, etc.) and network firewall to filter the memcached service port.
Rsync Unauthorized Access Vulnerability (High Risk)
Introduction :
rsync is a data mirroring backup tool under Unix-like systems. If it is not properly configured, it can lead to attackers anonymously accessing the rsync program, and further adding, deleting, modifying and other operations.
fix :
Two methods of defense are suggested, one is to limit access to IP, and the other is to not allow anonymous access and add user passwords.
Cisco vpn unauthorized access (high risk)
Introduction :
Cisco Adaptive Security Appliance (ASA) Software has a security vulnerability in the implementation of the Clientless SSL VPN portal custom framework. Unauthenticated remote attackers can use this vulnerability to modify the Clientless SSL VPN portal content, resulting in credential theft, cross-site scripting, and other attacks. This vulnerability stems from not properly implementing authentication checks within the Clientless SSL VPN ingress custom framework.
fix :
It is recommended to upgrade to the latest patch released by Cisco: Multiple Vulnerabilities in Cisco ASA Software
Mongodb database unauthorized access vulnerability (high risk)
Introduction :
Mongodb does not set the --auth parameter when it starts, causing malicious attackers to log in to the data server with the default empty password.
fix :
It is recommended to add database user verification or restrict device login IP addresses to limit unauthorized access.
Redis database unauthorized access vulnerability (high risk)
Introduction :
By default, Redis is bound to 0.0.0.0:6379, which will expose Redis services to the public network. If authentication is not enabled, any user can access Redis without authorization if they can access the target server And read Redis data. Attackers can use related methods of Redis without authorization to access Redis, and can successfully write the public key on the Redis server, and then use the corresponding private key to directly log in to the target server.
fix :
1. Configure the bind option, limit the IP that can connect to the Redis server, and modify the default port 6379 of Redis; 2. Configure authentication, that is, AUTH, and set a password, which will be saved in the Redis configuration file in plain text; 3. Configure rename- The command configuration item "RENAME_CONFIG", so that even if there is unauthorized access, it can make it more difficult for attackers to use the config command; 4. The good news is that the author of Redis said that he will develop "real user" to distinguish between ordinary users and admin permissions. Users will be prohibited from running certain commands, such as config, etc.
Unauthorized access to .htaccess files (high risk)
introduce:
Attackers can gain unauthorized access to .htaccess files and leak sensitive website information.
repair:
Prevent .htaccess files from being viewed.
Phpmyadmin unauthorized access (high risk)
introduce:
If you find the phpmyadmin path without password protection, you can directly log in to the database to obtain the root authority of the database.
repair:
Set the database password to prevent unauthorized access, and modify the default path of phpmyadmin to prevent it from being discovered by attackers.
Druid Unauthorized Access Vulnerability (Medium Severity)
introduce:
Druid is produced by Alibaba Database, a database connection pool for monitoring, and Druid provides monitoring functions, monitoring SQL execution time, monitoring Web URI requests, and Session monitoring. First of all, Druid does not have any loopholes. However, when the developer configures it incorrectly, it may cause unauthorized access.
repair:
1. Set StatViewServlet (monitoring page) to false;
2. Set an account password for the druid web page to increase access to druid.
Springboot unauthorized access (high risk)
introduce:
Actuator is a functional module provided by springboot to introspect and monitor the application system. With the help of Actuator, developers can easily view and count some monitoring indicators of the application system. When the Actuator is enabled, if the relevant authority control is not done well, illegal users can access the default actuator endpoints (endpoints) to obtain monitoring information in the application system, resulting in information leakage or even server takeover.
harm:
Access the /trace endpoint to obtain basic HTTP request tracking information (time stamp, HTTP header, etc.). If there is an operation request from the logged-in user, you can forge a cookie to log in. Access the /env endpoint to obtain all environmental attributes. Since the actuator will monitor the site mysql, Mangodb and other database services, so through monitoring information can also get mysql, mangodb database information. endpoints.env.enabled= false repair: 1. Configure access account password; 2. Disable access interface configuration endpoints.env.enabled= false.
inject class
SQL injection (high risk)
introduce:
SQL injection attackers input maliciously structured SQL statements with legal syntax in HTTP requests. The so-called time-based blind injection is to judge whether there is an SQL injection point on the web page according to the corresponding time difference of the web page. The attacker can obtain the library name, table name, and field name of the website database through SQL injection, thereby obtaining the data in the entire server, which poses a great threat to the data security of website users. Attackers can also obtain the background administrator's password through the obtained data, and then maliciously tamper with the web page.
repair:
(1) Programmers strengthen their own technical level and use fixed development standards; (2) Check the legality of data before submitting to the server for processing; (3) Encapsulate the information submitted by the client; (4) Replace or delete sensitive characters , string; (5) Error information is not returned to the user; (6) Unconventional encryption is performed on sensitive data to prevent information leakage; (7) Strengthen database inspection (whether there is an abnormality in the table structure, whether there is redundant data, etc.), Log inspection (SQL injection attacks often access a certain vulnerable web page in large numbers, and the log file will increase sharply. By checking the size of the log file and the content in the log file.); Use SQL variables, because variables are not executable scripts; (9) It is recommended to deploy SQL injection prevention systems such as database firewalls, WAF and other network security devices.
CRLF Injection Vulnerability (High Severity)
introduce:
CRLF is short for "Carriage Return + Line Feed" (\r\n). In the HTTP protocol, the HTTP Header and HTTP Body are separated by two CRLFs, and the browser extracts and displays the HTTP content based on these two CRLFs. Therefore, once we can control the characters in the HTTP message header and inject some malicious newlines, we can inject some session cookies or HTML codes, so CRLF Injection is also called HTTP Response Splitting, or HRS for short. HRS is a more dangerous security issue than XSS.
repair:
For CRLF injection vulnerabilities, it is recommended to filter special characters such as \r and \n to prevent input data from polluting other HTTP headers.
Framework Injection Vulnerability (High Risk)
introduce:
It is possible for an attacker to inject frame or iframe tags with malicious content. If the user is not careful, it is possible to browse the page corresponding to the label, but not realize that he will leave the original site and enter the malicious site. An attacker could then convince the user to log in again and obtain their login credentials.
repair:
It is recommended to filter all the following characters: | & ; $ % @ ' " ' " <> ( ) + CR LF , \.
Cross-site scripting class
XSS cross-site scripting vulnerability (high risk)
introduce:
Cross-site scripting attack is to add malicious code to the webpage. When the visitor browses the webpage, the malicious code will be executed. The attacker can use this vulnerability to steal or manipulate customer sessions and cookies to imitate legitimate users, so that the attacker can obtain Administrator rights, control the entire website.
repair:
1. If the HttpOnly attribute is set in the cookie, the cookie information cannot be read through JavaScript scripts, which can prevent XSS attacks to a certain extent; 2. Assuming that all inputs are suspicious, all scripts and iframes in the input must be checked and so on for strict inspection. The input here is not only the input interface that the user can directly interact with, but also the variables in the cookie in the HTTP request, the variables in the header of the HTTP request, etc.; 3. Not only verify the type of data, but also verify its format, length, Scope and content; 4. Filter "<" and ">" to put user input between quotation marks, basically realize the isolation of data and code; filter double quotation marks to prevent users from crossing licensed marks, and add custom marks; filter TAB and spaces to prevent Keywords are split; script keywords are filtered; � is filtered to prevent HTML attributes from bypassing inspection. Perform data verification and filtering on the client and server at the same time; 5. Check the output data, the value in the database may be output in many places on a large website, even if the input is encoded and other operations , Security checks are also performed at output points everywhere.
JQuery version is too low (JQuery low version has cross-site) (medium risk)
introduce:
A cross-site scripting vulnerability exists in jQuery prior to 1.6.3. A remote attacker could exploit this vulnerability to inject arbitrary web script or HTML through specially crafted tags when selecting elements using location.hash.
repair:
Upgrade jQuery version.
Unicode Conversion Vulnerability (High Severity)
introduce:
During Unicode conversion, subsequence safety issues are caused by overlong byte sequences and wrong formats. Bypass the program's detection of malicious characters through a special encoding format, which can be used in SQL injection, XSS, etc.
repair:
1. Upgrade the Unicode version to the official latest stable version http://www.unicode.org ;
2. After Unicode is converted to UTF-8 encoding, security detection is performed after conversion, and special characters are filtered or output after security encoding.
File upload, file inclusion, file reading, SSRF class
File upload vulnerability (high risk)
introduce:
The program for verifying uploaded files does not perform any filtering on uploaded files, resulting in the ability to upload arbitrary files to the server, even virus files and Trojan horse files.
repair:
For uploaded attachments, the verification program needs to be strictly verified, using server-side verification instead of front-end javascript verification only. 1. It is recommended to strictly limit the uploaded file type, uploaded file name and suffix; 2. Check the file header and file content, and strictly limit the operation authority of the uploaded file directory; 3. Timely check and delete server Trojan files.
WebDav file upload/information disclosure vulnerability (high risk)
introduce:
WebDAV is a communication protocol based on the HTTP 1.1 protocol. It extends HTTP 1.1 and adds some new methods in addition to several HTTP standard methods such as GET, POST, and HEAD. It enables applications to directly read and write files on the Web Server, supports writing file locking and unlocking, and supports file version control. A remote attacker may exploit this vulnerability to read and write files without authorization.
repair:
Usually the website does not need to support additional methods. It is recommended to disable the WebDav service and close methods such as PUT, MOVE, and COPY.
Local file inclusion vulnerability (high risk)
introduce:
Because the programmer does not check the input of the user-controllable variables, the user can control the included files. When successfully exploited, the web server can execute the specific file as a script, so that the attacker can obtain certain server permissions; or directly Read system files, resulting in leakage of sensitive server information.
repair:
For file inclusion vulnerabilities, it is recommended to use the "white list" method to limit the range of files that are allowed to be included.
Remote file inclusion vulnerability (high risk)
introduce:
When the server uses language features (functions) to include arbitrary files, since the source of the file to be included is not strictly filtered, a malicious file can be included, and the attacker can remotely construct a specific malicious file to achieve the purpose of attack.
repair:
If you must dynamically include files, it is recommended to clearly specify which files to include and perform whitelist comparison. At the same time, you can also add directory restrictions in the include function.
Arbitrary file read vulnerability (high risk)
introduce:
The program filtering is not strict, so you can jump to other directories to read arbitrary files through ../../../ and other methods.
repair:
1. Filter the special characters of "../" 2. Restrict the directory of the read file, and do not allow cross-directory reading
Arbitrary file download vulnerability (high risk)
introduce:
Add ../../../../ before the file parameters of the normal download link to jump out of the directory restriction and download any file such as system files. This vulnerability is caused by the fact that the background code does not impose security restrictions on the download path.
repair:
For arbitrary file download vulnerabilities, it is recommended to strictly limit the file download path.
SSRF (Server Request Forgery) (high risk)
introduce:
Many web applications provide the function of obtaining data from other servers. Using the URL specified by the user, the web application can fetch images, download files, read the contents of files, etc. If this function is used maliciously, a flawed web application can be used as a proxy to attack remote and local servers, detect intranet information or even intranet intrusion.
repair:
Most of the reasons for the formation of SSRF are that the server provides the function of obtaining data from other server applications without filtering and restricting the target address. For example, get the text content of the web page from the specified URL address, load the picture at the specified address, download it, and so on. It is recommended to strictly limit the value of the url parameter.
ShopXO arbitrary file reading (high risk)
introduce:
ShopXO is an open source enterprise-level open source e-commerce system; ShopXO has an arbitrary file read vulnerability, which can be exploited by attackers to obtain sensitive information.
repair:
Upgrade system version
Resin Arbitrary File Read Vulnerability (High Risk)
introduce:
Websites installed with certain versions of Resin servers have a vulnerability that can read arbitrary files, and attackers can use this vulnerability to read arbitrary file content on the website server.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
Command execution, code execution class
Struts2 dev-mod command execution vulnerability (high risk)
introduce:
The website package uses Apache Struts xwork as the website application framework, and devMode is turned on. When this setting is enabled, Struts2 will provide more logs and debugging information to help developers develop more quickly. However, in developer mode, OGNL statement injection will be allowed, and attackers may exploit this vulnerability for remote code execution.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-005 Command Execution Vulnerability (High Risk)
introduce:
OGNL provides, among other things, a wide range of expression evaluation functions. The vulnerability allows a malicious user to bypass the "#"-use protection built into the ParametersInterceptor, enabling remote code execution by exploiting this vulnerability.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-009 Command Execution Vulnerability (High Risk)
introduce:
OGNL provides, among other things, extensive expression evaluation functions. The vulnerability allows a malicious user to bypass all protections built into the ParametersInterceptor (regex patterns, deny method calls), thereby being able to inject malicious expressions in any exposed string variable for further evaluation. Similar behavior has been addressed in S2-003 and S2-005, but it turns out that the resulting fix based on a whitelist of acceptable parameter names only partially closes the vulnerability. The regex matches top['foo'](0) in the ParametersInterceptor as a valid expression, OGNL treats it as (top['foo'])(0) and takes the value of the 'foo' action parameter as OGNL expression to calculate. This allows a malicious user to place arbitrary OGNL statements into any string variable exposed by an action and have it evaluated as an OGNL expression, and since OGNL statements are in HTTP parameter values, attackers can use blacklisted characters (eg #) disables method execution and executes arbitrary methods bypassing ParametersInterceptor and OGNL library protections.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-016 Command Execution Vulnerability (High Risk)
introduce:
In struts2, the DefaultActionMapper class supports "action:", "redirect:", "redirectAction:" as navigation or redirection prefixes, but these prefixes can be followed by OGNL expressions at the same time, because struts2 does not filter these prefixes, Causes the use of OGNL expressions to call java static methods to execute arbitrary system commands.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-017 URL jump vulnerability (high risk)
introduce:
In Struts 2 prior to 2.3.15.1, the information after "redirect:" or "redirectAction:" could easily be manipulated to redirect to an arbitrary location.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-019 Command Execution Vulnerability (High Risk)
introduce:
The operation mapping mechanism of Struts2 supports operations with special parameter prefixes, which may add boot information at the bottom of the table, and there is a security bypass vulnerability when mapping "action:" prefix operations, which can be exploited by attackers to bypass certain security restrictions and access restrictions Function. The Dynamic Method Invocation mechanism of Struts2 is enabled by default (the user is only reminded to turn off this mechanism if possible), so there is a remote code execution vulnerability, which can be exploited by an attacker to execute arbitrary code in the context of the affected application.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-032 Command Execution Vulnerability (High Risk)
introduce:
When dynamic method invocation is enabled, a malicious expression may be passed to execute arbitrary code on the server side.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-037 Command Execution Vulnerability (High Risk)
introduce:
After Struts2 uses the Rest plug-in, ActionMapping is obtained through the method of publicActionMappinggetMapping(HttpServl etRequest request, ConfigurationManagerconfigManager) of the org.apache.struts2.rest.RestActionMapper.java class. Among them, when the request url is in the following format: actionName/id/methodName will get methodName as the method attribute of ActionMapping. However, the method attribute has not been processed. It is consistent with the execution process of the S2-032 vulnerability. It is to set the ActionMapping attribute to ActionProxy, obtain the method attribute from ActionProxy and bring it into the ognl expression for execution, and obtain it through the static call of the OGNL expression. ognl.OgnlContext's DEFAULT_MEMBER_ACCESS property and override _memberAccess to bypass, so that arbitrary code can be executed on the controlled server side. That is, attackers can use this vulnerability to remotely execute arbitrary commands on the Struts 2 server deployed with the REST plug-in
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-045 Command Execution Vulnerability (High Risk)
introduce:
Using the Struts of the Jakarta file upload plug-in, an attacker can trigger this vulnerability by modifying the Content-Type value in the HTTP request header when uploading files, and then execute system commands.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-046 Command Execution Vulnerability (High Risk)
introduce:
Using the Struts of the Jakarta file upload plug-in, the attacker can trigger this vulnerability by constructing malicious OGNL in the file name content when the size of the uploaded file (specified by the Content-Length header) is greater than the maximum size allowed by Struts2 (2GB), and then execute system commands .
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
S2-052 Command Execution Vulnerability (High Risk)
introduce:
The Apache Struts2 Freemarker tag, if used incorrectly, can lead to RCE remote code execution vulnerability.
repair:
1. Upgrade to Apache Struts version 2.5.12 or 2.3.34;
2. Use read-only properties to initialize value properties (only getter properties);
3. Do not obtain the content of Freemarker tags through Request.
S2-053 Command Execution Vulnerability (High Risk)
introduce:
The Struts2 REST plugin uses the XStream Handler with the XStream program for deserialization without any code filtering, which can lead to remote code execution when deserializing XML payloads. Any attacker can construct malicious XML content to elevate privileges.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
JDWP Remote Command Execution Vulnerability (High Risk)
introduce:
JDWP is the abbreviation of Java Debug Wire Protocol, which defines the communication protocol between the debugger (debugger) and the debugged Java virtual machine (target vm). When the Java debugging mode of the protocol is enabled externally, there is a remote command execution vulnerability. Allows an attacker to remotely execute code and gain server privileges.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
ElasticSearch Command Execution Vulnerability (High Risk)
introduce:
The vulnerability exists in a file named ElasticSearch.yml. In this file, there is a configuration item "script.disable_dynamic", which is "false" by default. This default configuration allows the server to dynamically execute arbitrary code sent by the user. Hackers only need to send a piece of code to the server through a URL address to create and execute their own programs. Once the hackers have passed, their operations on the server will not be subject to any restrictions, including stealing sensitive information such as user accounts and passwords in the website, or leaving a backdoor program.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
GNU Bash Remote Command Execution (High Risk)
introduce:
GNU Bash 4.3 and earlier versions have a security vulnerability when evaluating certain constructed environment variables. Adding redundant strings to the function definition in the environment variable value will trigger this vulnerability. Attackers can use this vulnerability to change or bypass environment restrictions. , to execute shell commands.
repair:
1. Upgrade the latest version; 2. If the system is no longer in use, please take it offline or use a firewall to shield it.
Weblogic Java Deserialization Remote Command Execution Vulnerability (High Risk)
introduce:
There is a Java deserialization vulnerability in Weblogic, and an attacker can remotely execute system commands and obtain server permissions.
repair:
Update the official patch in time.
shiro deserialization command execution vulnerability (high risk)
introduce
Utilization tool: shiro deserialization vulnerability comprehensive utilization tool
shiro-550 (shiro is less than 1.2.5) is mainly a command execution vulnerability caused by the deserialization of shiro's rememberMe content. The reason is that the AES key is hard-coded in the shiro source code, which leads to the ability to pass in coo0kie's The rememberMe field is inserted into the payload to achieve arbitrary code execution.
repair:
Upgrade shiro version.
JBoss deserialization command execution vulnerability (high risk)
introduce
The root cause is that in the CommonsCollections component, there is a method that can be called reflectively for the operation of the collection, and this method does not perform any verification when the related object is deserialized, resulting in remote code execution. Exploiting the vulnerability allows attackers to remotely execute system commands and obtain server permissions, causing server security risks.
repair:
1. For the JBoss Java deserialization vulnerability, it is recommended to update the jboss version to the latest version ( This Week in JBoss - 08 September 2022 - JBoss.org ) or update the official patch;
2. To modify the password of the database account, the length of the password is required to be more than 8 digits, and the complexity of the password must include numbers, uppercase and lowercase letters, and special characters;
3. Carry out a comprehensive security check on the server, timely check and clear backdoor files such as webshell; timely modify the database password, etc.
JBoss JMXInvokerServlet Remote Command Execution Vulnerability (High Risk)
introduce
When Jboss is installed by default, it will install the http-invoker.sar site. When requesting invoker/JMXInvokerServlet or invoker/EJBInvokerServlet, it will call org.jboss.invocation.http.servlet.InvokerServlet.class to process the request. This class uniformly calls the processRequest function for GET requests and POST requests. Therefore, the attacker needs to construct a jboss class and serialize it, and then submit the serialized data directly to the invoker/JMXInvokerServlet page of the vulnerable site. , malicious code will be executed.
repair:
It is recommended to delete or disable access to the /invoker/JMXInvokerServlet file.
ThinkPHP command execution (high risk)
introduce:
Because the ThinkPHP5 framework does not perform sufficient security checks on the controller name, hackers can directly getWebShell by constructing a specific request without enabling mandatory routing.
repair:
Upgrade thinkPHP to the latest version.
Apache ActiveMQ Remote Code Execution Vulnerability (CVE-2016-3088) (High Risk)
introduce
Multiple vulnerabilities in Apache ActiveMQ Fileserver could allow remote attackers to replace web applications with malicious code and execute remote code on affected systems (CVE-2016-3088).
repair:
1. The ActiveMQ Fileserver function has been removed in 5.14.0 and later versions. It is recommended that users upgrade to 5.14.0 and later versions;
2. Disable the ActiveMQ Fileserver function by removing the following configuration in conf\jetty.xml.
JBoss Seam parameterized EL expression remote code execution vulnerability (high risk)
introduce:
JBoss Seam is a Java EE5 framework that combines JSF and EJB3.0 components to provide an up-to-date model for developing Web-based enterprise applications. An input filtering vulnerability exists in the way JBoss Seam handles certain parameterized JBoss EL expressions (CVE-2010-1871). Arbitrary code execution is possible if a remote attacker can trick an authenticated JBoss Seam user into visiting a specially crafted web page
repair:
Upgrade to 4.3.0 EL4 or higher, which is confirmed to have fixed this vulnerability. Reference link: 615956 – (CVE-2010-1871) CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE) .
HPPT.sys Remote Code Execution Vulnerability (MS15-034) (High Risk)
Introduction :
The remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys). This vulnerability will be caused when HTTP.sys does not correctly analyze specially designed HTTP requests. Attackers only need to send malicious http request packets to remotely Read the memory data of the IIS server, or make the server system blue screen crash.
fix :
Mitigation: Microsoft Security Bulletin MS15-034 - Critical | Microsoft Learn Update Patch: Microsoft Security Bulletin MS15-034 - Critical | Microsoft Learn
Webview Remote Code Execution Vulnerability (High Risk)
Introduction :
The addJavascriptInterface method in the WebView component is used to realize the interaction between local Java and JavaScript, but this function does not restrict the method call, so that the attacker can call any JAVA class, and finally lead to arbitrary attacks on the device by JavaScript code
fix :
It is recommended not to use the addJavascriptInterface interface. For Android systems with an Android API Level of 17 or above, Google stipulates that functions that are allowed to be called must declare a @JavascriptInterface annotation on the Java remote method; when using the js2java bridge, you need to add each The incoming parameters are verified to avoid malicious code attacks.
denial of service class
slowhttp denial of service attack (medium risk)
Introduction :
If a remote attacker uses the sending tool to send an incomplete HTTP request to the Apache server, the server will open the connection and wait for the complete header to be accepted, but if the sending tool does not continue to send the complete request but sends an invalid header, it will remain open Connection. The impact of this attack is severe because the attacker does not need to send a large amount of traffic to exhaust the available connections on the server. That is, even users with low bandwidth can attack high-traffic servers.
fix :
1. Upgrade to the latest version of apache;
2. Add RequestReadTimeout header=20-40, MinRate=500 body=20, MinRate=500 in httpd.conf;
3. Limiting the number of connections of each IP directly in iptables can solve most of the above problems. Unless the attacker has many bots, the attack of a single IP will lose its effect. iptables -A INPUT -p tcp --syn --dport 8889 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset .