|
|
|
°øÁö»çÇ×
|
|
Read No. 243 article |
2005-11-05 12:30:34 |
|
|
|
|
NickName |
Ç®ºñ´© |
Subject |
[º¸¾È] PHP update 4.4.1 |
|
|
php ÀÇ ±ä±Þ º¸¾È¹ö±× °ü·Ã ¾÷µ¥ÀÌÆ® 󸮰¡ µÇ¾ú½À´Ï´Ù.
º¸¾È·¹º§ : ±ä±ÞÁß¿ä
php --------------
±âÁ¸ : 4.3.10
½Å±Ô : 4.4.1
Zend Optimizer ---
±âÁ¸ : 2.5.7
½Å±Ô : 2.5.10a
°ü·Ã »ó¼¼ ³»¿ë --------
1) POST ¸Å°³º¯¼öó¸®ÇÔ¼ö¿À·ù¿¡ÀÇÇÑGLOBAL º¯¼öº¯°æÃë¾àÁ¡
"Multipart/form-data" POST ¹æ½ÄÀ¸·Î ÆÄÀϾ÷·Îµå ±â´É ±¸Çö½Ã, Ŭ¶óÀ̾ðÆ®·ÎºÎÅÍ Àü´Þ
µÈ º¯¼ö°ªÀ» ó¸®ÇÏ´Â extract(), import_request_varibales() ÇÔ¼ö±¸Çö»óÀÇ ¿À·ù·Î ¿ø°Ý
ÀÇ °ø°ÝÀÚ°¡ GLOBAL ȯ°æº¯¼ö°ªÀ» º¯°æÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ÀÌ Á¸ÀçÇÕ´Ï´Ù. PHP ȯ°æÀ» Á¤ÀÇ
ÇÏ´Â php.ini ÆÄÀϳ»¿¡¼ ¸Å°³º¯¼ö 󸮼ø¼¸¦ ÁöÁ¤ÇÏ´Â variables_order Áö½ÃÀÚ°ªÀº ±â
º»ÀûÀ¸·Î 'EGPCS'(Environment, GET, POST, Cookie, Server)·Î ¼³Á¤µÇ¾î ÀÖÀ¸¸ç, ÀÌ·¯ÇÑ
°æ¿ì ÇØ´ç Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý¿¡ Ãë¾àÇÒ ¼ö ÀÖ½À´Ï´Ù.
2) PHP parse_str() ÇÔ¼ö ¿À·ù¿¡ ÀÇÇÑ register_globals È°¼ºÈÃë¾àÁ¡
ÁÖ¾îÁø ¹®ÀÚ¿À» URLÀ» ÅëÇÑ ÁúÀǹ®ÀÚ¿(Query String)ó·³ ó¸®ÇÏ´Â parse_str() ÇÔ¼ö
ÀÇ ¿À·ù·Î php.ini ÆÄÀϳ»¿¡¼ ȯ°æº¯¼ö/¸Å°³º¯¼öµéÀ» Àü¿ªº¯¼ö·Î µî·ÏÇÒÁö ¼³Á¤ÇÏ´Â
register_globals Áö½ÃÀÚ¸¦ 'on'À¸·Î È°¼ºÈÇÒ ¼ö ÀÖ½À´Ï´Ù. (PHP 4.2.0 ºÎÅÍ´Â php.ini
ÆÄÀϳ» register_global Áö½ÃÀÚÀÇ ±âº»°ªÀº off ÀÓ)
3) phpinfo()ÇÔ¼öÀÇCross-Site Scripting Ãë¾àÁ¡
PHPÀÇ ´Ù¾çÇÑ Á¤º¸¸¦ Ãâ·ÂÇØÁÖ´Â phpinfo() ÇÔ¼ö¿¡ ÀԷ°ª°ËÁõ¿À·ù¿¡ ÀÇÇÑ Cross-Site
Scripting Ãë¾àÁ¡ÀÌ Á¸ÀçÇÕ´Ï´Ù.
°ø°ÝÀÚ°¡ Ãë¾àÇÑ phpinfo() ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© À¥»çÀÌÆ®¸¦ ±¸ÃàÇÑ°æ¿ì, ÇØ´ç À¥»çÀÌÆ®¿¡ ¹æ
¹®ÇÑ »ç¿ëÀÚÀÇ À¥ºê¶ó¿ìÀú¿¡¼ ¾ÇÀÇÀûÀÎ ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÏ´Â Cross-Site Scripting °ø°Ý
ÀÌ °¡´ÉÇÕ´Ï´Ù.
4) PCRE ¶óÀ̺귯¸®Buffer Overflow Ãë¾àÁ¡
Perl ¾ð¾î¿ÍÀÇÁ¤±ÔÇ¥Çö½Ä(regular expression) ȣȯ¼ºÀ»Á¦°øÇÏ´ÂPCRE (Perl Compatible
Regular Expression) ¶óÀ̺귯¸®¿¡Buffer Overflow Ãë¾àÁ¡ÀÌÁ¸ÀçÇÕ´Ï´Ù. °ø°ÝÀÚ´ÂÇØ´çÃë
¾àÁ¡À»¾Ç¿ëÇÏ¿©Á¶ÀÛµÈÁ¤±ÔÇ¥Çö½ÄÀ»Ã³¸®Åä·ÏÇϹǷμ´ë»ó½Ã½ºÅÛ¿¡¼ÀÓÀÇÀǸí·É¾î¸¦½ÇÇàÇÒ
¼öÀÖ½À´Ï´Ù.
5) ext/curl, ext/gd È®Àå¸ðµâ¿À·ù¿¡ÀÇÇѺ¸¾È¼³Á¤¿ìȸÃë¾àÁ¡
PHP È®Àå¸ðµâ Áß À̱âÁ¾°£ÀÇ Åë½ÅÀ» Áö¿øÇÏ´Â curl(Client URL Library) ¸ðµâ°ú ´Ù¾çÇÑ
À̹ÌÁö󸮸¦ Áö¿øÇÏ´Â gd(Graphic Design) ¸ðµâÀÇ ±¸Çö»óÀÇ ¿À·ù·Î ¿ø°ÝÀÇ °ø°ÝÀÚ°¡ Çã
°¡µÇÁö ¾ÊÀº ÆÄÀÏ¿¡ Á¢±ÙÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ÀÌ Á¸ÀçÇÕ´Ï´Ù.
°ø°ÝÀÚ´Â ÇØ´ç Ãë¾àÁ¡À» ¾Ç¿ëÇÏ¿© php.ini ÆÄÀÏ ¼³Á¤ Áß php ½ºÅ©¸³Æ® ¼ÒÀ¯±Ç°ú ÇØ´ç
php ½ºÅ©¸³Æ®°¡ ÂüÁ¶ÇÏ´Â ÆÄÀÏÀÇ ¼ÒÀ¯±ÇÀ» ºñ±³ÇÏ´Â safe_mode Áö½ÃÀÚ¼³Á¤°ú php ½ºÅ©¸³
Æ®°¡ ÂüÁ¶ÇÒ ¼ö ÀÖ´Â ÆÄÀÏÀÇ µð·ºÅ丮 À§Ä¡¸¦ Á¦ÇÑÇÏ´Â open_basedir µîÀÇ Áö½ÃÀÚ ¼³Á¤
°ª°ú °ü°è¾øÀÌ ÀÓÀÇÀÇ ÆÄÀÏ¿¡ Á¢±ÙÇÒ ¼ö ÀÖ½À´Ï´Ù.
6) Virtual() ÇÔ¼ö¿À·ù¿¡ ÀÇÇÑ º¸¾È¼³Á¤ ¿ìȸ Ãë¾àÁ¡
Apache2 ¿¡¼ ½ÇÇà°¡´ÉÇÑ ½ºÅ©¸³Æ®¸¦ include ÇÏ´Â virtual() ÇÔ¼öÀÇ ±¸Çö»óÀÇ ¿À·ù·ÎÀÎ
ÇØ safe_mode, open_basedir µî°ú °°Àº º¸¾È¼³Á¤À» ¿ìȸÇÏ¿© ÀÓÀÇÀÇ ÆÄÀÏ¿¡ Á¢±ÙÇÒ ¼ö ÀÖ
´Â Ãë¾àÁ¡ÀÌ Á¸ÀçÇÕ´Ï´Ù.
°¨»çÇÕ´Ï´Ù.
|
|
Page Loading [ 0.04 Sec ]
SQL Time [ 0.02 Sec ]
|
|
|