Professional Documents
Culture Documents
» ﺑﺨﺶ ﺍﻭﻝ «
ﻣﻘﺪﻣﻪ
ﺍﻭﻟﻴﻦ ﭼﻴﺰﻱ ﻛﻪ ﻣﻤﻜﻦ ﺍﺳﺖ ﺍﺯ ﻃﺮﻳﻖ ﺁﻥ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﻣﻮﺭﺩ ﺣﻤﻠﻪ ﻭﺍﻗﻊ ﺷﻮﻧﺪ ،
ﺳﺮﻭﺭﻫﺎﻱ ﻭﺑﻲ ﻣﻲ ﺑﺎﺷﻨﺪ ﻛﻪ ﺍﻳﻨﮕﻮﻧﻪ ﺑﺮﻧﺎﻣﻪ ﻫﺎ ﺭﻭﻱ ﺁﻧﻬﺎ ﺍﺟﺮﺍ ﺷﺪﻩ ﺍﻧﺪ .ﻫﻴﭻ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻭﺏ
،ﻫﺮﭼﻨﺪ ﻛﻪ ﺧﻴﻠﻲ ﻣﺴﺘﺤﻜﻢ ﻭ ﺍﻣﻦ ﻫﻢ ﺑﺎﺷﺪ ،ﻧﻤﻲ ﺗﻮﺍﻧﺪ ﻣﺪﺕ ﺯﻳﺎﺩﻱ ﺭﻭﻱ ﻳﻚ ﺳﺮﻭﺭ ﻧﺎ ﺍﻣﻦ ﻭ
ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺩﻭﺍﻡ ﺑﻴﺎﻭﺭﺩ.
ﺩﺭ ﺍﻳﻨﺠﺎ ﻗﺼﺪ ﺑﺮ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﺭﻭﻱ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ﻣﻌﺮﻭﻓﻲ ﻫﻤﭽﻮﻥ IIS ، Apacheﻭ
Netscapeﺑﺤﺚ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﻢ .ﻫﻤﭽﻨﻴﻦ ﺩﺭﺑﺎﺭﻩ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻳﻬﺎﻱ ﺍﺑﺘﺪﺍﻳﻲ ﻭ ﻣﻌﻤﻮﻟﻲ ﺁﻧﻬﺎ ﻭ ﺳﭙﺲ
ﻣﻌﺮﻓﻲ ﻭ ﻛﺎﺭ ﺑﺎ ﭼﻨﺪﻳﻦ ﭘﻮﻳﻨﺪﻩ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺭﺍ ﺑﺮﺍﻱ ﺷﻤﺎ ﺑﺎﺯﮔﻮ ﻛﻨﻴﻢ .ﺍﮔﺮ ﻋﻤﺮﻱ ﺑﺎﻗﻲ ﻣﺎﻧﺪ ﻫﻢ ﺑﺮ
ﻳﻚ ﺳﺮﻱ ﻫﻢ ﺑﻪ ﺣﻤﻼﺕ 1 DOSﻭ ﺗﺤﻠﻴﻞ ﭼﮕﻮﻧﮕﻲ ﺍﻧﺠﺎﻡ ﺍﻳﻨﮕﻮﻧﻪ ﺣﻤﻼﺕ ﻣﻲ ﺯﻧﻴﻢ.
ﺧﻴﻠﻲ ﺻﺎﻑ ﻭ ﺳﺎﺩﻩ ﺑﺎﻳﺪ ﺑﮕﻮﻳﻢ ﻛﻪ ﺍﮔﺮ ﺷﻤﺎ ﺍﻳﻦ ﺑﺨﺶ ﺭﺍ ﻣﻄﺎﻟﻌﻪ ﻛﻨﻴﺪ ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ﺧﻴﻠﻲ ﺭﺍﺣﺖ
ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﻪ ﺩﻧﺒﺎﻝ ﺷﻜﺎﺭﻫﺎﻳﻲ ﺭﻭﻱ ﺍﻳﻨﺘﺮﻧﺖ ﺑﺎﺷﻴﺪ! ﺍﻣﺎ ﻫﻤﻴﺸﻪ ﻳﻚ ﻛﻼﻩ ﺳﻔﻴﺪ ﺑﺎﺷﻴﺪ ،ﻳﺎ ﺑﻪ ﻗﻮﻝ
ﻳﻜﻲ ﺍﺯ ﺩﻭﺳﺘﺎﻥ ،ﻣﺎﻧﻨﺪ ﻳﻚ ﺳﺮﺧﭙﻮﺳﺖ ﺍﺯ ﻗﺒﻴﻠﻪ ﺳﻮﻭ ﻭﻓﺎﺩﺍﺭ ﺑﻪ ﺳﻨﺖ ﻫﺎ ﺑﺎﺷﻴﺪ!!
ﺳﺎﻟﻬﺎ ﻗﺒﻞ ﺍﺯ ﺍﻳﻨﻜﻪ ﺍﻣﻨﻴﺖ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ﺗﺠﺰﻳﻪ ﻭ ﺗﺤﻠﻴﻞ ﺷﻮﺩ ،ﻣﺎ ﻓﻜﺮ ﻣﻲ ﻛﺮﺩﻳﻢ ﻛﻪ ﺑﺎ ﺍﻧﺘﺨﺎﺏ
ﻳﻚ ﺳﺮﻭﺭ ﺧﻮﺏ ﻫﻴﭽﮕﺎﻩ ﺑﺎ ﻣﺸﻜﻞ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻳﻬﺎﻱ ﺑﺤﺮﺍﻧﻲ ﺩﺭ ﭼﺮﺧﻪ ﺣﻴﺎﺕ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﺧﻮﺩ
ﻣﻮﺍﺟﻬﻪ ﻧﺨﻮﺍﻫﻴﻢ ﺷﺪ .ﺍﻣﺎ ﺩﺭ ﺍﻣﺮﻭﺯﻩ ﺷﻤﺎ ﺑﺎﻳﺪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ﺧﻮﺩ ﺭﺍ ﺑﻪ ﺻﻮﺭﺕ ﻣﺤﺘﺎﻃﺎﻧﻪ ﺍﻱ
ﭘﻴﻜﺮ ﺑﻨﺪﻱ ﻛﻨﻴﺪ ﻭ ﻫﻤﻴﺸﻪ ﺁﺧﺮﻳﻦ Patchﻫﺎﻱ ﺁﻥ ﺭﺍ ﺧﺮﻳﺪﺍﺭﻱ ﻭ ﻧﮕﻬﺪﺍﺭﻱ ﻛﻨﻴﺪ ﻭ ﺑﻌﺪ ﺍﺯ ﻧﺼﺐ ﺁﻧﻬﺎ
ﻫﻨﻮﺯ ﻫﻢ ﻧﻤﻲ ﺗﻮﺍﻥ ﺧﻴﻠﻲ ﻣﻄﻤﺌﻦ ﺑﻮﺩ ﻛﻪ ﻫﻤﻪ ﭼﻴﺰ ! OKﺍﺳﺖ .ﺩﺭ ﺍﻳﻨﺠﺎ ﻓﻘﻂ ﺗﻌﺪﺍﺩ ﺑﺴﻴﺎﺭ ﻣﺤﺪﻭﺩﻱ
ﺍﺯ ﺿﻌﻔﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺳﺮﻭﺭﻫﺎ ﺑﻴﺎﻥ ﻣﻲ ﺷﻮﺩ ﻭ ﻧﺤﻮﻩ ﻣﻘﺎﺑﻠﻪ ﺑﺎ ﺁﻧﻬﺎ ﻧﻴﺰ ﮔﻔﺘﻪ ﻣﻲ ﺷﻮﺩ ،ﻭﻟﻴﻜﻦ ﺑﺮﺍﻱ
ﺍﻃﻼﻋﺎﺕ ﺑﻴﺸﺘﺮ ﺩﻭﺳﺘﺎﻥ ﺑﺎﻳﺪ ﺑﻪ ﻣﻨﺎﺑﻌﻲ ﻛﻪ ﺩﺭ ﺍﻧﺘﻬﺎﻱ ﺍﻳﻦ ﺩﺳﺘﻪ ﻣﻘﺎﻻﺕ ﺫﻛﺮ ﻣﻲ ﺷﻮﺩ ﻣﺮﺍﺟﻪ
ﻓﺮﻣﺎﻳﻨﺪ.
2 www.WebsecurityMgz.com
ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ
ﺁﭘﺎﭼﯽ ) (Apacheﻳﮑﯽ ﺍﺯ ﻣﺘﺪﺍﻭﻟﺘﺮﻳﻦ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﮔﺎﻥ ﻭﺏ ﺑﺮ ﺭﻭﯼ ﺍﻳﻨﺘﺮﻧﺖ ﺍﺳﺖ .ﺩﺭ ﻣﻘﺎﻳﺴﻪ
ﺑﺎ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻭﺏ ﻣﺎﻳﮑﺮﻭﺳﺎﻓﺖ ) ، ( IISﺁﭘﺎﭼﯽ ﻣﺴﺎﺋﻞ ﻭ ﻣﺸﮑﻼﺕ ﺍﻣﻨﻴﺘﯽ ﮐﻤﺘﺮﯼ ﺭﺍ ﺩﺍﺷﺘﻪ
ﻭﻟﯽ ﻫﻤﭽﻨﺎﻥ ﺩﺍﺭﺍﯼ ﺁﺳﻴﺐ ﭘﺬﻳﺮﯼ ﺧﺎﺹ ﺧﻮﺩ ﺍﺳﺖ .
ﺗﻤﺎﻣﯽ ﺳﻴﺴﺘﻢ ﻫﺎﯼ ﻳﻮﻧﻴﮑﺲ ﻗﺎﺩﺭ ﺑﻪ ﺍﺟﺮﺍﺀ ﺁﭘﺎﭼﯽ ﻣﯽ ﺑﺎﺷﻨﺪ .ﺁﭘﺎﭼﯽ ﺑﺼﻮﺭﺕ ﭘﻴﺶ ﻓﺮﺽ ﺑﺮ
ﺭﻭﯼ ﺗﻌﺪﺍﺩ ﺯﻳﺎﺩﯼ ﺍﺯ ﻧﺴﺨﻪ ﻫﺎﯼ ﻳﻮﻧﻴﮑﺲ ﻭ ﻟﻴﻨﻮﮐﺲ ،ﻧﺼﺐ ﻣﯽ ﮔﺮﺩﺩ .ﻋﻼﻭﻩ ﺑﺮ ﺍﻣﮑﺎﻥ ﻓﻮﻕ ،
ﺁﭘﺎﭼﯽ ﺭﺍ ﻣﯽ ﺗﻮﺍﻥ ﺑﺮ ﺭﻭﯼ ﻣﻴﺰﺑﺎﻧﯽ ﺩﻳﮕﺮ ﮐﻪ ﺍﺯ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻠﯽ ﻣﺨﺘﻠﻒ ﻧﻈﻴﺮ ﻭﻳﻨﺪﻭﺯ ﺍﺳﺘﻔﺎﺩﻩ ﻣﯽ
ﻧﻤﺎﻳﺪ ﻧﻴﺰ ﻧﺼﺐ ﻧﻤﻮﺩ .ﺍﻳﻦ ﻧﻮﻉ ﺍﺯ ﻧﺴﺨﻪ ﻫﺎﯼ ﺁﭘﺎﭼﯽ ﻧﻴﺰ ﻣﯽ ﺗﻮﺍﻧﺪ ﺩﺍﺭﺍﯼ ﻧﻘﺎﻁ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺧﺎﺹ
ﺧﻮﺩ ﺑﺎﺷﺪ .
ﺳﺎﻳﺘﻬﺎﻱ ﺗﺠﺎﺭﺕ ﺍﻟﻜﺘﺮﻭﻧﻴﻚ ﻓﺮﺽ ﺭﺍ ﺑﺮ ﺍﻳﻦ ﮔﺬﺍﺷﺘﻪ ﺍﻧﺪ ﻛﻪ ﺻﻔﺤﺎﺕ ﻭﺏ ﺧﻮﺩ ﺭﺍ ﺑﻪ ﺻﻮﺭﺕ
ﺩﻟﺨﻮﺍﻩ ﺑﺮﺍﻱ ﻣﺸﺘﺮﻳﻬﺎﻱ ﺧﻮﺩ ﺍﻳﺠﺎﺩ ﻛﻨﻨﺪ ﻭ ﻗﺎﻟﺐ ﺗﻮﺟﻪ ﺧﻮﺩ ﺭﺍ ﺭﻭﻱ ﻣﺸﺘﺮﻱ ﻣﺪﺍﺭﻱ ﻗﺮﺍﺭ ﺩﺍﺩﻩ ﺍﻧﺪ
ﺗﺎ ﺑﺘﻮﺍﻧﻨﺪ ﻣﺸﺘﺮﻳﻬﺎ ﺭﺍ ﺑﻪ ﺳﺎﻳﺖ ﺧﻮﺩ ﺟﺬﺏ ﻛﻨﻨﺪ ﺑﻪ ﻃﻮﺭﻱ ﻛﻪ ﻫﺮ ﻣﺸﺘﺮﻱ ﺑﺮ ﺍﺳﺎﺱ ﻋﻼﻗﻪ ﻣﻨﺪﻱ
ﺧﻮﺩ ﺻﻔﺤﺎﺕ ﻭ ﻣﻮﺿﻮﻋﺎﺗﻲ ﺩﻟﺨﻮﺍﻩ ﺭﺍ ﺩﺭ ﺳﺎﻳﺖ ﻣﺸﺎﻫﺪﻩ ﻛﻨﺪ ﻭ ﻳﺎ ﻓﻼﻥ ﺻﻔﺤﻪ ﺭﺍ ﺑﺎ ﻓﻼﻥ ﺭﻧﮓ
ﻣﺸﺎﻫﺪﻩ ﻛﻨﺪ .ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ Apacheﻧﻴﺎﺯ ﺑﻪ ﻣﺎﮊﻭﻟﻬﺎﻳﻲ ﺩﺍﺭﺩ ﺗﺎ ﺗﻮﺍﻧﺎﻳﻲ ﺁﻥ ﺭﺍ ﺑﺮﺍﻱ ﻃﺮﺍﺣﻲ ﻭ
ﻧﻤﺎﻳﺶ ﺻﻔﺤﺎﺕ ﺩﻳﻨﺎﻣﻴﻚ ﺑﺎﻻ ﺑﺒﺮﺩ ﻭ ﻫﻤﻴﻦ ﻣﺎﮊﻭﻟﻬﺎ ﻣﻲ ﺑﺎﺷﻨﺪ ﻛﻪ Apacheﺭﺍ ﺩﺭ ﻣﻌﺮﺽ ﺧﻄﺮ
ﻗﺮﺍﺭ ﻣﻲ ﺩﻫﺪ .ﺑﺮﺍﻱ ﺍﻳﻨﻜﻪ ﺑﻬﺘﺮ ﺑﻪ ﺍﻳﻦ ﻣﻮﺿﻮﻉ ﭘﻲ ﺑﺒﺮﻳﺪ ﺍﺟﺎﺯﻩ ﺑﺪﻫﻴﺪ ﭼﻨﺪ ﻣﺜﺎﻝ ﻭ ﻧﻤﻮﻧﻪ ﺭﺍ ﺑﺎ ﻫﻢ
ﻣﺮﻭﺭ ﻛﻨﻴﻢ.
3 www.WebsecurityMgz.com
ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ
/cgi-bin//////////////////////////////////////////////////////
ﻣﻤﻜﻦ ﺍﺳﺖ ﻟﻴﺴﺖ ﺩﺍﻳﺮﻛﺘﻮﺭﻳﻬﺎﻱ ﺩﺭﺍﻳﻮﻫﺎﻱ ﺍﺻﻠﻲ ﺳﻴﺴﺘﻢ ﺭﺍ ﻧﻤﺎﻳﺶ ﺩﻫﺪ .ﺗﻌﺪﺍﺩ ﻭﺍﻗﻌﻲ ﺍﺳﻠﺶ ﻫﺎ
ﻣﺘﻔﺎﻭﺕ ﻣﻲ ﺑﺎﺷﺪ ﻭﻟﻲ ﻣﻲ ﺗﻮﺍﻥ ﺑﺎ ﻧﻮﺷﺘﻦ ﻳﻚ ﺍﺳﻜﺮﻳﭙﺖ Perlﺧﻴﻠﻲ ﺳﺎﺩﻩ ﺍﻳﻦ ﺣﻤﻠﻪ ﺭﺍ ﭘﻴﺎﺩﻩ
ﺳﺎﺯﻱ ﻛﺮﺩ .ﻧﻜﺘﻪ ﺍﻱ ﻛﻪ ﺩﺭ ﺍﻳﻨﺠﺎ ﺑﺎﻳﺪ ﮔﻔﺘﻪ ﺷﻮﺩ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﺑﻴﺸﺘﺮ ﺳﺮﻭﺭﻫﺎﻱ Apacheﻧﻤﻲ
ﺗﻮﺍﻧﻨﺪ ﻳﻚ URLﺑﺰﺭﮔﺘﺮ ﺍﺯ 8000ﻛﺎﺭﺍﻛﺘﺮ ﺭﺍ ﭘﺮﺩﺍﺯﺵ ﻛﻨﻨﺪ.
ﺗﻮﺟﻪ ﺑﻪ ﺍﻳﻦ ﻧﻜﺘﻪ ﺿﺮﻭﺭﻱ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﺎ ﺣﺬﻑ ﻣﺎﮊﻭﻝ mod-dirﺩﺭ Apacheﺩﺭ ﺗﻤﺎﻡ
ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻱ ﻭﺏ ﻛﺎﺭﺍﻛﺘﺮ ﺍﺳﻠﺸﻬﺎﻱ ﭘﺸﺖ ﺳﺮ ﻫﻢ ﺍﺯ ﻗﻠﻢ ﺧﻮﺍﻫﻨﺪ ﺍﻓﺘﺎﺩ .ﻫﺮ ﭼﻨﺪ ﻛﻪ ﺍﻳﻦ ﻣﻮﺿﻮﻉ
ﺗﺎﺛﻴﺮ ﭼﻨﺪﺍﻧﻲ ﺭﻭﻱ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻧﺪﺍﺭﺩ.
4 www.WebsecurityMgz.com
ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ
Apacheﺑﺪﻭﻥ ﺍﺟﺎﺯﻩ ﻣﺪﻳﺮ ﺳﺮﻭﺭ ،ﺑﺎ ﻫﺮ ﺗﻼﺷﻲ ﻛﻪ ﺑﺨﻮﺍﻫﺪ ﺑﻪ ﻟﻴﺴﺖ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ﻫﺎ ﺩﺳﺖ ﭘﻴﺪﺍ
ﻛﻨﺪ ،ﻣﺨﺎﻟﻔﺖ ﻣﻲ ﻛﻨﺪ .ﻣﺘﺎﺳﻔﺎﻧﻪ ،ﻳﻜﻲ ﺍﺯ ﺟﺪﻳﺪ ﺗﺮﻳﻦ ﻗﺎﺑﻠﻴﺖ ﻫﺎﻱ ، Multiviews ، Apacheﻛﻪ
ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺑﺮﺍﻱ ﻧﺸﺎﻥ ﺩﺍﺩﻥ ﻟﻴﺴﺖ ﺩﺍﻳﺮﻛﺘﻮﺭﻳﻬﺎ ﻣﻲ ﺑﺎﺷﺪ ﺗﻮﺳﻂ Kevinﺍﺯ ﺳﺎﻳﺖ
brasscannon.netﺩﺭ ﺟﻮﻻﻱ 2001ﺑﻪ Bugtraqﮔﺰﺍﺭﺵ ﺷﺪ .ﺍﻳﻦ ﺣﻤﻠﻪ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﻪ ﺑﻪ ﻭﺳﻴﻠﻪ
ﻣﺮﻭﺭﮔﺮ ﻭ ﻳﺎ ﺍﺯ ﻃﺮﻳﻖ ﺩﺳﺘﻮﺭ ﻣﺴﺘﻘﻴﻢ ﺑﺮﻧﺎﻣﻪ netcatﻟﻴﺴﺖ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ﻫﺎ ﺭﺍ ﻧﻤﺎﻳﺶ ﺩﻫﺪ:
ﺍﻟﺒﺘﻪ ﺧﺮﻭﺟﻲ ﺍﻳﻦ ﺩﺳﺘﻮﺭ ،ﻣﻘﺪﺍﺭﻱ ﻋﻮﺽ ﺷﺪﻩ ﺍﺳﺖ ﺗﺎ ﺧﻮﺍﻧﺎ ﺗﺮ ﺑﺎﺷﺪ .ﺍﻣﺎ ﺍﻳﻦ ﻳﻚ ﻣﺜﺎﻟﻲ ﺍﺯ ﺩﺍﺩﻩ
ﻫﺎﻳﻲ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺩﺭ ﻳﻚ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ Apacheﻣﻲ ﺗﻮﺍﻥ ﻳﺎﻓﺖ .ﺍﻟﺒﺘﻪ ﻣﺎ ﺩﺭ ﺁﻳﻨﺪﻩ ﺩﺭﺑﺎﺭﻩ ﻓﺎﻳﻠﻬﺎﻱ
ﻣﻬﻢ ﺍﻳﻦ ﻧﻮﻉ ﺳﺮﻭﺭ ﻫﺎ ﺻﺤﺒﺖ ﺧﻮﺍﻫﻴﻢ ﻛﺮﺩ .ﺑﺮﺍﻱ ﺣﺎﻻ ﻫﻤﺎﻥ ﻓﺎﻳﻞ Password.txtﻛﺎﻓﻲ ﻣﻲ
ﺑﺎﺷﺪ .ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺑﺴﻴﺎﺭ ﻣﻔﻴﺪ ﺍﺳﺖ ﺯﻳﺮﺍ ﻟﻴﺴﺖ ﻛﺎﻣﻠﻲ ﺍﺯ ﺩﺍﻳﺮﻛﺘﻮﺭﻳﻬﺎﻱ ﺳﺎﻳﺖ ﺭﺍ ﻧﺸﺎﻥ ﻣﻲ
ﺩﻫﺪ.
5 www.WebsecurityMgz.com
ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ
ﻫﺎﻱ ﻗﺪﻳﻤﻲ ،ﻧﺴﺨﻪ ﭘﺸﺘﻴﺒﺎﻥ ﺳﺎﻳﺖ ،ﻭ ﻫﺮ ﻓﺎﻳﻠﻲ ﻛﻪ ﻣﻮﺭﺩ ﻧﻴﺎﺯ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻧﻤﻲ ﺑﺎﺷﺪ ،ﻧﺒﺎﻳﺪ
ﺑﻪ ﻭﺳﻴﻠﻪ ﻣﺮﻭﺭ ﮔﺮ ﻗﺎﺑﻞ ﺩﺳﺘﺮﺳﻲ ﺑﺎﺷﺪ .ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﻟﻴﺴﺖ ﻛﺮﺩﻥ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ﻫﺎ ﻭﻗﺘﻲ ﻣﺎ ﺭﺍ
ﺗﻬﺪﻳﺪ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﺩﺍﺩﻩ ﻫﺎﻱ ﺣﺴﺎﺱ ﺩﺭﻭﻥ ﺁﻧﻬﺎ ﻭﺟﻮﺩ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ.
ﺗﺰﺭﻳﻖ mod_auth_*sql
ﺑﻤﻨﻈﻮﺭ ﺁﮔﺎﻫﯽ ﻭ ﮐﺴﺐ ﺍﻃﻼﻋﺎﺕ ﻻﺯﻡ ﺩﺭ ﺧﺼﻮﺹ ﻧﺤﻮﻩ ﺗﺸﺨﻴﺺ ﺁﺳﻴﺐ ﭘﺬﻳﺮﯼ ﺳﺮﻭﻳﺲ
ﺩﻫﻨﺪﻩ ﻭﺏ ﺁﭘﺎﭼﯽ ،ﻣﯽ ﺗﻮﺍﻥ ﺍﺯ ﺁﺩﺭﺱ ﻫﺎﯼ ﺯﻳﺮ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ :
http://www.apacheweek.com/features/security-13
http://www.apacheweek.com/features/security-20
ﺁﺩﺭﺱ ﻫﺎﯼ ﺍﺷﺎﺭﻩ ﺷﺪﻩ ،ﺩﺍﺭﺍﯼ ﺍﻃﻼﻋﺎﺕ ﻓﻨﯽ ﻻﺯﻡ ﺑﻤﻨﻈﻮﺭ ﻧﺤﻮﻩ ﺗﺸﺨﻴﺺ ﺁﺳﻴﺐ ﭘﺬﻳﺮﯼ ﺳﻴﺴﺘﻢ
ﻭ ﭘﻴﺸﻨﻬﺎﺩﺍﺕ ﻻﺯﻡ ﺩﺭ ﺧﺼﻮﺹ ﺍﺭﺗﻘﺎﺀ ﻭﺿﻌﻴﺖ ﺍﻣﻨﻴﺘﯽ ﻣﯽ ﺑﺎﺷﻨﺪ .ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺁﺩﺭﺱ:
http://httpd.apache.org/ﻧﻴﺰ ﺩﺭ ﺍﻳﻦ ﺯﻣﻴﻨﻪ ﻣﻔﻴﺪ ﺍﺳﺖ .
6 www.WebsecurityMgz.com
ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ
ﺑﻤﻨﻈﻮﺭ ﺣﻔﺎﻇﺖ ﻳﮏ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻭﺏ ﺁﭘﺎﭼﯽ ،ﭘﻴﺸﻨﻬﺎﺩﺍﺕ ﺯﻳﺮ ﺍﺭﺍﺋﻪ ﻣﯽ ﮔﺮﺩﺩ :
-ﺑﻤﻨﻈﻮﺭ ﺩﺳﺘﻴﺎﺑﯽ ﺑﻪ code Sourceﺍﮐﺜﺮ ﻧﺴﺨﻪ ﻫﺎﯼ ﺁﭘﺎﭼﯽ ،ﻣﯽ ﺗﻮﺍﻥ ﺍﺯ ﺁﺩﺭﺱ
http://httpd.apache.org/download.cgiﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ.
-2ﺍﻃﻤﻴﻨﺎﻥ ﺍﺯ patchingﻋﻨﺎﺻﺮ ﮐﻠﻴﺪﯼ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ ﮐﻪ ﺁﭘﺎﭼﯽ ﺑﻌﻨﻮﺍﻥ ﻣﺮﺟﻊ ﺍﺯ ﺁﻧﺎﻥ ﺍﺳﺘﻔﺎﺩﻩ
ﻣﯽ ﻧﻤﺎﻳﺪ .ﺩﺭ ﺍﻳﻦ ﺭﺍﺑﻄﻪ ﻻﺯﻡ ﺍﺳﺖ ﮐﻪ ﺻﺮﻓﺎ" ﻣﺎﮊﻭﻝ ﻫﺎﯼ ﺿﺮﻭﺭﯼ ﺑﻤﻨﻈﻮﺭ ﺻﺤﺖ ﻋﻤﻠﮑﺮﺩ
ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ،ﺩﺭ ﺁﭘﺎﭼﯽ ﮐﻤﭙﺎﻳﻞ ﮔﺮﺩﻧﺪ .ﻻﺯﻡ ﺍﺳﺖ ﺑﻪ ﺍﻳﻦ ﻧﮑﺘﻪ ﺍﺷﺎﺭﻩ ﮔﺮﺩﺩ ﮐﻪ ﮐﺮﻡ mod_ssl
) ( CA-2002-27ﻧﻤﻮﻧﻪ ﺍﯼ ﮐﺎﻣﻞ ﺩﺭ ﺍﻳﻦ ﺯﻣﻴﻨﻪ ﺑﻮﺩﻩ ﮐﻪ ﺍﺯ ﻧﻘﺎﻁ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺩﺭ ) OpenSSL
( CA-2002-23ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩﻩ ﺍﺳﺖ .
-3ﺍﺯ ﺍﺟﺮﺍﯼ ﺁﭘﺎﭼﯽ ﺑﻌﻨﻮﺍﻥ ﺭﻳﺸﻪ ،ﺍﺟﺘﻨﺎﺏ ﻛﻨﻴﺪ ﻭ ﻣﯽ ﺑﺎﻳﺴﺖ ﺑﺪﻳﻦ ﻣﻨﻈﻮﺭ ،ﮐﺎﺭﺑﺮ ﻭ ﻳﺎ ﮔﺮﻭﻫﯽ
ﺧﺎﺹ ﺑﺎ ﺣﺪﺍﻗﻞ ﻣﺠﻮﺯ ﺍﻳﺠﺎﺩ ﮔﺮﺩﺩ .ﺳﺎﻳﺮ ﭘﺮﺩﺍﺯﻩ ﻫﺎﯼ ﺳﻴﺴﺘﻢ ﺿﺮﻭﺭﺗﯽ ﺑﻪ ﺍﺟﺮﺍﺀ ﺗﺤﺖ ﮐﺎﺭﺑﺮ ﻭ ﻳﺎ
ﮔﺮﻭﻩ ﻓﻮﻕ ﺭﺍ ﻧﺨﻮﺍﻫﻨﺪ ﺩﺍﺷﺖ .
، Chroot -4ﭘﺘﺎﻧﺴﻴﻠﯽ ﺍﺳﺖ ﮐﻪ ﺑﺎﻋﺚ ﺗﻌﺮﻳﻒ ﻣﺠﺪﺩ ﻣﺤﺪﻭﺩﻩ ﻳﮏ ﺑﺮﻧﺎﻣﻪ ﻣﯽ ﮔﺮﺩﺩ .ﺩﺭ ﺣﻘﻴﻘﺖ
، chrootﺑﺎﻋﺚ ﺗﻌﺮﻳﻒ ﻣﺠﺪﺩ ﺩﺍﻳﺮﮐﺘﻮﺭﯼ "ROOTﻭ ﻳﺎ " "/ﺑﺮﺍﯼ ﻳﮏ ﺑﺮﻧﺎﻣﻪ ﻭ ﻳﺎ ﻳﮏ Login
sessionﻣﯽ ﮔﺮﺩﺩ chroot.ﻣﯽ ﺗﻮﺍﻧﺪ ﺑﻌﻨﻮﺍﻥ ﻳﮏ ﻻﻳﻪ ﺗﺪﺍﻓﻌﯽ ﺍﺳﺘﻔﺎﺩﻩ ﮔﺮﺩﺩ .ﻣﺜﻼ" ﺩﺭ ﺻﻮﺭﺗﻴﮑﻪ
ﻓﺮﺩﯼ ﺑﻪ ﮐﺎﻣﭙﻴﻮﺗﺮ ﺷﻤﺎ ﺩﺳﺘﻴﺎﺑﯽ ﭘﻴﺪﺍ ﻧﻤﺎﻳﺪ ،ﻗﺎﺩﺭ ﺑﻪ ﻣﺸﺎﻫﺪﻩ ﺗﻤﺎﻣﯽ ﻓﺎﻳﻞ ﻫﺎﯼ ﻣﻮﺟﻮﺩ ﺑﺮ ﺭﻭﯼ
ﺳﻴﺴﺘﻢ ﻧﺨﻮﺍﻫﺪ ﺑﻮﺩ .ﻋﻼﻭﻩ ﺑﺮ ﻣﺤﺪﻭﺩﻳﺖ ﻓﻮﻕ ،ﻣﺤﺪﻭﺩﻳﺖ ﻫﺎﺋﯽ ﺩﺭ ﺧﺼﻮﺹ ﺍﺟﺮﺍﯼ ﺑﺮﺧﯽ ﺍﺯ
ﺩﺳﺘﻮﺭﺍﺕ ﻧﻴﺰ ﺑﻮﺟﻮﺩ ﻣﯽ ﺁﻳﺪ .ﺩﺭ ﺍﻳﻦ ﺭﺍﺑﻄﻪ ﻳﮏ ﺩﺍﻳﺮﮐﺘﻮﺭﯼ ﺑﺎ ﻧﺎﻡ ، /chrootﺍﻳﺠﺎﺩ ﻣﻲ ﺷﻮﺩ ﻭ
ﺗﻤﺎﻣﯽ ﺳﺮﻭﻳﺲ ﻫﺎﯼ ﻣﻮﺭﺩ ﻧﻄﺮ ﺑﺎ ﻳﮏ ﺍﻧﻀﺒﺎﻁ ﺧﺎﺹ ﺩﺭ ﺁﻥ ﻣﺴﺘﻘﺮ ﻣﯽ ﮔﺮﺩﻧﺪ .ﻣﺜﻼ" ﺳﺮﻭﻳﺲ
ﺩﻫﻨﺪﻩ ﺁﭘﺎﭼﯽ ﺩﺭ / chroot/httpdﻗﺮﺍﺭ ﻣﯽ ﮔﻴﺮﺩ .ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﻣﻮﺍﺭﺩ ﻓﻮﻕ ،ﻣﯽ ﺑﺎﻳﺴﺖ ﺁﭘﺎﭼﯽ ﺭﺍ ﺩﺭ
7 www.WebsecurityMgz.com
ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ
ﻳﮏ ﻣﺤﻴﻂ chrootﺍﺟﺮﺍﺀ ﻧﻤﻮﺩ .ﺩﺭﺻﻮﺭﺗﻴﮑﻪ ﺁﭘﺎﭼﯽ ﺑﺼﻮﺭﺕ chrootedﺍﺟﺮﺍﺀ ﻭ ﻓﻌﺎﻟﻴﺖ ﺧﻮﺩ ﺭﺍ
ﺁﻏﺎﺯ ﻧﻤﺎﻳﺪ ،ﺍﻣﮑﺎﻥ ﺩﺳﺘﻴﺎﺑﯽ ﺁﻥ ﺑﻪ ﺳﺎﻳﺮ ﺑﺨﺶ ﻫﺎﯼ ﻣﻮﺟﻮﺩ ﺩﺭ ﺳﺎﺧﺘﺎﺭ ﺩﺍﻳﺮﮐﺘﻮﺭﯼ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ
ﻭ ﺧﺎﺭﺝ ﺍﺯ chrootﻭﺟﻮﺩ ﻧﺨﻮﺍﻫﺪ ﺩﺍﺷﺖ .ﺑﺪﻳﻦ ﺗﺮﺗﻴﺐ ﻳﮏ ﻻﻳﻪ ﺗﺪﺍﻓﻌﯽ ﻣﻨﺎﺳﺐ ﺩﺭ ﺧﺼﻮﺹ ﺳﻮﺀ
ﺍﺳﺘﻔﺎﺩﻩ ﻫﺎﯼ ﺍﺣﺘﻤﺎﻟﯽ ﺍﻳﺠﺎﺩ ﻣﯽ ﮔﺮﺩﺩ .ﺑﻌﻨﻮﺍﻥ ﻧﻤﻮﻧﻪ ،ﻣﻤﮑﻦ ﺍﺳﺖ ﻳﮏ shellﻓﺮﺍﺧﻮﺍﻧﺪﻩ ﺷﺪﻩ ﻭ ﺑﺎ
ﺗﻮﺟﻪ ﺑﻪ ﺍﻳﻨﮑﻪ / bin/skyﺩﺭ chrootﻗﺮﺍﺭ ﻧﺪﺍﺭﺩ ،ﻣﯽ ﺗﻮﺍﻧﺪ ﺯﻣﻴﻨﻪ ﺳﻮﺀ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺣﺘﻤﺎﻟﯽ ﺭﺍ ﻓﺮﺍﻫﻢ
ﻧﻤﺎﻳﺪ .ﻻﺯﻡ ﺍﺳﺖ ﺑﻪ ﺍﻳﻦ ﻧﮑﺘﻪ ﻣﻬﻢ ﻧﻴﺰ ﺍﺷﺎﺭﻩ ﮔﺮﺩﺩ ﮐﻪ Chrootingﺁﭘﺎﭼﯽ ﻣﯽ ﺗﻮﺍﻧﺪ ﺍﺛﺮﺍﺕ ﺟﺎﻧﺒﯽ
ﻧﺎﻣﻄﻠﻮﺑﯽ ﺭﺍ ﺩﺭ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ، CGI,PHPﺑﺎﻧﮏ ﻫﺎﯼ ﺍﻃﻼﻋﺎﺗﯽ ﻭ ﺳﺎﻳﺮ ﻣﺎﮊﻭﻝ ﻫﺎ ﻭ ﻳﺎ ﺍﺭﺗﺒﺎﻃﺎﺗﯽ ﮐﻪ
ﻣﺤﻴﻂ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻭﺏ ﺑﻤﻨﻈﻮﺭ ﺳﺮﻭﻳﺲ ﺩﻫﯽ ﺑﻪ ﺁﻧﺎﻥ ﻧﻴﺎﺯﻣﻨﺪ ﺩﺳﺘﻴﺎﺑﯽ ﺑﻪ ﺗﻮﺍﺑﻊ ﮐﺘﺎﺑﺨﺎﻧﻪ ﺍﯼ
ﺧﺎﺭﺟﯽ ﺍﺳﺖ ﺭﺍ ﺑﺪﻧﺒﺎﻝ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ .ﺭﻭﺵ ﻫﺎﯼ ﻣﺘﻌﺪﺩﯼ ﺑﻤﻨﻈﻮﺭ chrootingﻭﺟﻮﺩ ﺩﺍﺷﺘﻪ ﻭ ﻣﯽ
ﺑﺎﻳﺴﺖ ﺍﺯ ﻣﺴﺘﻨﺪﺍﺕ ﻧﺮﻡ ﺍﻓﺰﺍﺭ ﻣﻮﺭﺩ ﻧﻈﺮ ،ﺑﻌﻨﻮﺍﻥ ﻳﮏ ﻣﻨﺒﻊ ﺍﻃﻼﻋﺎﺗﯽ ﻣﻨﺎﺳﺐ ﺩﺭ ﺧﺼﻮﺹ ﺍﺭﺍﺋﻪ
ﺭﺍﻫﮑﺎﺭﻫﺎﯼ ﻣﺮﺑﻮﻃﻪ ،ﺍﺳﺘﻔﺎﺩﻩ ﮔﺮﺩﺩ
-5ﺑﻤﻨﻈﻮﺭ ﻣﺪﻳﺮﻳﺖ ﻳﮏ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻭﺏ ،ﻻﺯﻡ ﺍﺳﺖ ﻓﻴﺪﺑﮏ ﻫﺎﯼ ﻻﺯﻡ ﺩﺭ ﺧﺼﻮﺹ ﻓﻌﺎﻟﻴﺖ ﻭ
ﮐﺎﺭﺁﺋﯽ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻭ ﺳﺎﻳﺮ ﻣﺴﺎﺋﻠﯽ ﮐﻪ ﻣﻤﮑﻦ ﺍﺳﺖ ﻳﮏ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺑﺎ ﺁﻧﺎﻥ ﺑﺮﺧﻮﺭﺩ ﻧﻤﺎﻳﺪ
ﺭﺍ ﺍﺧﺬ ﻛﺮﺩ ﻭ ﺩﺭ ﺍﺩﺍﻣﻪ ﺑﺎ ﺁﻧﺎﻟﻴﺰ ﺁﻧﺎﻥ ﺗﻤﻬِﻴﺪﺍﺕ ﻻﺯﻡ ﺩﺭ ﺧﺼﻮﺹ ﻣﺴﺎﺋﻞ ﻣﻮﺟﻮﺩ ﺭﺍ ﺑﮑﺎﺭ ﮔﺮﻓﺖ .
ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺁﭘﺎﭼﯽ ،ﻗﺎﺑﻠﻴﺖ ﻫﺎ ﻭ ﭘﺘﺎﻧﺴﻴﻞ ﻫﺎﯼ ﺍﻧﻌﻄﺎﻑ ﭘﺬﻳﺮﯼ ﺭﺍ ﺩﺭ ﺧﺼﻮﺹ loggingﺍﺭﺍﺋﻪ
ﻣﯽ ﻧﻤﺎﻳﺪ .ﺑﻨﺎﺑﺮﺍﻳﻦ ﻻﺯﻡ ﺍﺳﺖ ﻋﻤﻠﻴﺎﺕ loggingﺑﺎ ﺩﻗﺖ ﻧﻈﺮ ﺑﺎﻻ ﺑﺼﻮﺭﺕ ﻣﻮﺛﺮ ﻭ ﻣﻮﺷﮑﺎﻓﺎﻧﻪ
ﺍﻧﺠﺎﻡ ﮔﻴﺮﺩ ﺗﺎ ﺍﻣﮑﺎﻥ ﺭﺩﻳﺎﺑﯽ ﻫﺮ ﻧﻮﻉ ﻓﻌﺎﻟﻴﺖ ﺍﻣﻨﻴﺘﯽ ﻏﻴﺮ ﻣﺠﺎﺯ ﻭ ﻳﺎ ﺭﻓﺘﺎﺭ ﻏﻴﺮ ﻣﻨﻄﻘﯽ ﺳﺮﻭﻳﺲ
ﺩﻫﻨﺪﻩ ،ﻓﺮﺍﻫﻢ ﮔﺮﺩﺩ .ﭘﻴﺸﻨﻬﺎﺩ ﻣﯽ ﮔﺮﺩﺩ ﮐﻪ ﺑﺎ ﻳﮏ ﻧﻈﻢ ﺧﺎﺹ ﺍﺯ ﺍﻃﻼﻋﺎﺕ ﻣﻮﺟﻮﺩ ﺩﺭ ﻓﺎﻳﻞ ﻫﺎﯼ ﻻﮒ
،ﺁﺭﺷﻴﻮ ﺗﻬﻴﻪ ﺷﻮﺩ .ﺑﺪﻳﻦ ﺗﺮﺗﻴﺐ ،ﺍﻣﮑﺎﻥ ﻣﺪﻳﺮﻳﺖ ﻓﺎﻳﻞ ﻫﺎﯼ ﻻﮒ ﻭ ﺑﺮﺭﺳﯽ ﺁﻧﺎﻥ ﻓﺮﺍﻫﻢ ﺧﻮﺍﻫﺪ ﺷﺪ.
ﺑﻤﻨﻈﻮﺭ ﺁﺷﻨﺎﺋﯽ ﺑﺎ ﻓﺮﻣﺖ ﻫﺎﯼ ﻣﺘﻔﺎﻭﺕ ﻻﮒ ﻣﯽ ﺗﻮﺍﻧﺪ ﺍﺯ ﻣﻨﺎﺑﻊ ﺯﻳﺮ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ :
ﺩﺭ ﻣﻮﺍﺭﺩ ﻣﺘﻔﺎﻭﺗﯽ ﻭ ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﺷﺮﺍﻳﻂ ﭘﻴﺶ ﺁﻣﺪﻩ ﻣﻤﮑﻦ ﺍﺳﺖ ﻣﺤﺘﻮﯼ ﻓﺎﻳﻞ ﻫﺎﯼ ﻻﮒ ﺑﺘﻨﻬﺎﺋﯽ
ﮐﺎﻓﯽ ﻧﺒﺎﺷﺪ .ﻭﺿﻌﻴﺖ ﻓﻮﻕ ﺩﺭ ﻣﻮﺍﺭﺩﻳﮑﻪ ﺍﺯ CGI ، PHPﻭ ﻳﺎ ﺳﺎﻳﺮ ﺗﮑﻨﻮﻟﻮﮊﯼ ﻫﺎﯼ ﻣﺒﺘﻨﯽ ﺑﺮ
ﺍﺳﮑﺮﻳﭙﺖ ﺍﺳﺘﻔﺎﺩﻩ ﻣﯽ ﮔﺮﺩﺩ ،ﺗﺸﺪﻳﺪ ﻣﻲ ﮔﺮﺩﺩ ﻭ ﻣﯽ ﺗﻮﺍﻥ ﺑﻤﻨﻈﻮﺭ ﺍﻓﺰﺍﻳﺶ ﺗﻮﺍﻥ ﺁﻧﺎﻟﻴﺰ ﻳﮏ ﺗﻬﺎﺟﻢ ﻭ
ﺳﻮﺀﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻳﮏ ﺿﻌﻒ ﺍﻣﻨﻴﺘﯽ ،ﺍﻗﺪﺍﻡ ﺑﻪ ﺛﺒﺖ ﻻﮒ ﻫﺎﯼ ﻣﺮﺑﻮﻁ ﺑﻪ GETﻭ POSTﻧﻤﻮﺩ .ﻻﮒ
ﻧﻤﻮﺩﻥ ﻋﻤﻠﻴﺎﺕ ﻣﺮﺗﺒﻂ ﺑﻪ GETﻭ POSTﻣﯽ ﺗﻮﺍﻧﺪ ﺍﺯ ﻃﺮﻳﻖ mod_Securityﺻﻮﺭﺕ ﭘﺬﻳﺮﺩ.
8 www.WebsecurityMgz.com
ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ
- http://www.modsecurity.org/
- http://www.securityfocus.com/infocus/17064.152.44.126%20152.44.126
PHP,CGI,SSI -ﻭ ﺳﺎﻳﺮ ﺯﺑﺎﻥ ﻫﺎﯼ ﺍﺳﮑﺮﻳﭙﺖ ﺭﺍ ﻏﻴﺮ ﻓﻌﺎﻝ ﻧﻤﺎﺋﻴﺪ ) ﻣﮕﺮ ﺍﻳﻨﮑﻪ ﺿﺮﻭﺭﺗﯽ
ﺟﺪﯼ ﺩﺭ ﺭﺍﺑﻄﻪ ﺑﺎ ﺁﻧﺎﻥ ﻭﺟﻮﺩ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ (.
SSIﻳﺎ Server Side Includesﺭﺍ ﮐﻪ ﻣﯽ ﺗﻮﺍﻧﺪ ﺯﻣﻴﻨﻪ ﻣﺴﺎﻋﺪﯼ ﺑﻪ ﻣﻨﻈﻮﺭ ﺳﻮﺀ -
ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻓﺮﺍﻫﻢ ﻛﻨﺪ ﻭ ﺑﺎﻋﺚ ﺍﺟﺮﺍﻱ ﻛﺪﻫﺎﻱ ﻧﺎﺧﻮﺍﺳﺘﻪ ﮔﺮﺩﺩ ﺭﺍ ﻏﻴﺮ
ﻓﻌﺎﻝ ﻧﻤﺎﺋﻴﺪ .
ﺩﺭ ﺻﻮﺭﺗﻴﮑﻪ ﺿﺮﻭﺭﯼ ﺍﺳﺖ ﮐﻪ ﺍﺯ PHP,CGI,SSIﻭ ﻳﺎ ﺳﺎﻳﺮ ﺯﺑﺎﻥ ﻫﺎﯼ ﺍﺳﮑﺮﻳﭙﺖ -
ﺍﺳﺘﻔﺎﺩﻩ ﮔﺮﺩﺩ ،ﻣﯽ ﺑﺎﻳﺴﺖ ﺍﺯ SuEXECﺍﺳﺘﻔﺎﺩﻩ ﺷﻮﺩ ، suEXEC .ﺍﻣﮑﺎﻥ ﺍﺟﺮﺍﯼ
ﺍﺳﮑﺮﻳﭙﺖ ﻫﺎ ﺗﺤﺖ ﺁﭘﺎﭼﯽ ﺑﻬﻤﺮﺍﻩ ﻳﮏ User Idﺩﺭ ﻣﻘﺎﺑﻞ ﻳﮏ Apache User Idﺭﺍ ﻓﺮﺍﻫﻢ
ﻣﯽ ﻧﻤﺎﻳﺪ ﺩﺭ ﺣﻘﻴﻘﺖ suEXECﺍﻳﻦ ﺍﻣﮑﺎﻥ ﺭﺍ ﺑﺮﺍﯼ ﮐﺎﺭﺑﺮﺍﻥ ﺁﭘﺎﭼﯽ ﻓﺮﺍﻫﻢ ﻣﯽ ﻧﻤﺎﻳﺪ ﮐﻪ
ﻗﺎﺩﺭ ﺑﻪ ﺍﺟﺮﺍﯼ ﺑﺮﻧﺎﻣﻪ ﻫﺎﯼ SSIﻭ CGIﺗﺤﺖ ﻳﮏ User Idﻣﺘﻔﺎﻭﺕ ﻧﺴﺒﺖ ﺑﻪ User Id
ﻣﺮﺑﻮﻁ ﺑﻪ ﻓﺮﺍﺧﻮﺍﻧﯽ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻭﺏ ﺑﺎﺷﻨﺪ.ﺑﺪﻳﻦ ﺗﺮﺗﻴﺐ ﺗﻬﺪﻳﺪﺍﺕ ﺍﻣﻨﻴـﺘﯽ ﮐﺎﻫﺶ ﻭ
ﺍﻣﮑﺎﻥ ﻧﻮﺷﺘﻦ ﻭ ﺍﺟﺮﺍﯼ ﺑﺮﻧﺎﻣﻪ ﻫﺎﯼ SSIﻭ CGIﺍﺧﺘﺼﺎﺻﯽ ﻧﻮﺷﺘﻪ ﺷﺪﻩ ﺗﻮﺳﻂ
ﻣﻬﺎﺟﻤﺎﻥ ،ﺣﺬﻑ ﺧﻮﺍﻫﺪ ﺷﺪ .ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ، suEXECﻣﯽ ﺑﺎﻳﺴﺖ ﺗﻮﺍﻡ ﺑﺎ ﺁﮔﺎﻫﯽ ﻭ ﺩﺍﻧﺶ
ﻻﺯﻡ ﺑﺎﺷﺪ ﭼﺮﺍﮐﻪ ﺩﺭ ﺻﻮﺭﺕ ﺍﺳﺘﻔﺎﺩﻩ ﻧﺎﺩﺭﺳﺖ ﻭ ﻳﺎ ﻋﺪﻡ ﭘﻴﮑﺮﺑﻨﺪﯼ ﻣﻨﺎﺳﺐ ﻭ ﺷﻨﺎﺧﺖ
ﻧﺴﺒﺖ ﺑﻪ ﻣﺪﻳﺮﻳﺖ ، setupid Rootﺧﻮﺩ ﺑﺎﻋﺚ ﺑﺮﻭﺯ ﺣﻔﺮﻩ ﻫﺎﯼ ﺍﻣﻨﻴﺘﯽ ﺩﻳﮕﺮ ﺧﻮﺍﻫﺪ ﺷﺪ..
ﺩﺭ ﺍﻳﻦ ﺭﺍﺑﻄﻪ ﻭ ﺑﻤﻨﻈﻮﺭ ﺁﺷﻨﺎﺋﯽ ﺑﺎ ﻧﺤﻮﻩ ﻋﻤﻠﮑﺮﺩ ﻭ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ suEXECﻣﯽ ﺗﻮﺍﻥ ﺍﺯ
ﺁﺩﺭﺱ ﻫﺎﯼ ﺯﻳﺮ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ:
9 www.WebsecurityMgz.com
ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ
http://httpd.apache.org/docs/suexec.html
http://httpd.apache.org/docs-2.0/suexec.html
-ﺑﺮﺭﺳﯽ ﻻﺯﻡ ﺩﺭ ﺧﺼﻮﺹ ﻣﺤﺘﻮﯼ ﺩﺍﻳﺮﮐﺘﻮﺭﯼ cgi-binﻭ ﺳﺎﻳﺮ ﺩﺍﻳﺮﮐﺘﻮﺭﯼ ﻫﺎﯼ ﺷﺎﻣﻞ
ﺍﺳﮑﺮﻳﭙﺖ ﻫﺎ ﺍﻧﺠﺎﻡ ﻭ ﻻﺯﻡ ﺍﺳﺖ ﺗﻤﺎﻣﯽ ﺍﺳﮑﺮﻳﭙﺖ ﻫﺎﯼ ﭘﻴﺶ ﻓﺮﺽ ﻧﻤﻮﻧﻪ ،ﺣﺬﻑ ﮔﺮﺩﻧﺪ.
ﭘﺮﺩﺍﺧﺘﻦ ﺑﻪ ﻣﻮﺿﻮﻉ ﻓﻮﻕ ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﮔﺴﺘﺮﺩﮔﯽ ﻣﻄﺎﻟﺐ ﺍﺯ ﺣﻮﺻﻠﻪ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺧﺎﺭﺝ ﺑﻮﺩﻩ ﻭ ﺻﺮﻓﺎ"
ﺑﻪ ﺩﻭ ﻧﻤﻮﻧﻪ ﻣﻬﻢ ﺩﺭ ﺍﻳﻨﺨﺼﻮﺹ ﺍﺷﺎﺭﻩ ﻣﯽ ﮔﺮﺩﺩ :
-ﻏﻴﺮ ﻓﻌﺎﻝ ﻧﻤﻮﺩﻥ ﭘﺎﺭﺍﻣﺘﺮﻫﺎﺋﯽ ﮐﻪ ﺑﺎﻋﺚ ﺍﺭﺍﺋﻪ ﺍﻃﻼﻋﺎﺕ ﺩﺭ HTTP headerﻣﯽ ﮔﺮﺩﺩ .
ﺣﺼﻮﻝ ﺍﻃﻤﻴﻨﺎﻥ ﺍﺯ ﺍﺟﺮﺍﯼ PHPﺩﺭ ﺣﺎﻟﺖ safe -
ﺁﺩﺭﺱ ﺍﺯ ﺗﻮﺍﻥ ﻣﯽ ﺧﺼﻮﺹ ﺩﺭﺍﻳﻦ ﺗﮑﻤﻴﻠﯽ ﺍﻃﻼﻋﺎﺕ ﺩﺭﻳﺎﻓﺖ ﺑﺮﺍﯼ
http://www.securityfocus.com/printable/infocus/1706ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ .
10 www.WebsecurityMgz.com