-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
几个危害点(可造成服务器权限丢失) #138
Comments
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
nginxwebui后台rce截止3.9.9.pdf
修复建议:
1.过于linux空字符,如${IFS}等
2.转义命令中的所有shell元字符,shell元字符包括 #&;`,|*?~<>^()[]{}$\。
3.不使用时禁用相应命令,bash,sh,dash等直接创建shell的命令。
4.检查 Zip 压缩包中使用 ZipEntry.getName() 获取的文件名中是否包含 ../ 或者 ..。
5.严格判断输入,nginxpath、nginxeExe,nginxdir,其中path和dir应检查是否为目录,nginxExe可开启白名单,活着直接写死。
The text was updated successfully, but these errors were encountered: