An gano lahani da yawa a cikin haɗin yanar gizon J-Web, wanda ake amfani da shi a cikin na'urorin cibiyar sadarwa na Juniper sanye take da tsarin aiki na JunOS, mafi haɗari wanda (CVE-2022-22241) yana ba ku damar aiwatar da lambar ku a cikin tsarin ba tare da izini ba. tabbatarwa ta hanyar aika buƙatun HTTP na musamman. Ana ba masu amfani da kayan aikin Juniper shawarar shigar da sabuntawar firmware, kuma idan hakan ba zai yiwu ba, tabbatar da cewa an katange hanyar shiga yanar gizo daga cibiyoyin sadarwa na waje kuma an iyakance ga amintattun runduna kawai.
Mahimmancin raunin shi ne cewa hanyar fayil ɗin da mai amfani ya wuce ana sarrafa shi a cikin rubutun /jsdm/ajax/logging_browse.php ba tare da tace prefix tare da nau'in abun ciki a mataki kafin tantancewa ba. Mai hari zai iya aika fayil ɗin ɓarna a ƙarƙashin hoton hoto kuma ya cimma aiwatar da lambar PHP da ke cikin ma'ajiyar phar ta amfani da hanyar harin "Phar deserialization" (misali, ƙayyade "filepath=phar:/path/pharfile.jpg) "a cikin buƙatar).
Matsalar ita ce lokacin bincika fayil ɗin da aka ɗora ta amfani da aikin PHP is_dir(), wannan aikin yana lalata metadata ta atomatik lokacin da ake sarrafa hanyoyin farawa da "phar: //". Ana ganin irin wannan tasirin lokacin sarrafa hanyoyin fayil ɗin da aka kawo mai amfani a cikin file_get_contents(), fopen(), fayil (), file_exists(), md5_file(), filemtime() da fileize() ayyuka.
Harin yana da rikitarwa ta gaskiyar cewa ban da ƙaddamar da aiwatar da kayan tarihin phar, maharin dole ne ya nemi hanyar da za a sauke shi zuwa na'urar (ta hanyar shiga /jsdm/ajax/logging_browse.php, kawai za ku iya tantance hanyar zuwa. aiwatar da fayil ɗin da ya riga ya kasance). Matsaloli masu yuwuwa don samun fayiloli akan na'urar sun haɗa da zazzage fayil ɗin phar wanda aka canza azaman hoto ta hanyar sabis na canja wurin hoto da musanya fayil ɗin a cikin ma'ajin abun ciki na yanar gizo.
Sauran lahani:
- CVE-2022-22242 - musanya sigogin waje marasa tacewa a cikin fitowar rubutun kuskure.php, wanda ke ba da damar rubutun giciye da aiwatar da lambar JavaScript na sabani a cikin mai binciken mai amfani lokacin bin hanyar haɗin gwiwa (misali, “https: //) JUNOS_IP/error.php?SERVER_NAME= alert(0) " Za a iya amfani da rashin lafiyar don shiga tsakani sigogin zaman gudanarwa idan maharan sun sami nasarar sa mai gudanarwa ya buɗe hanyar haɗin yanar gizo ta musamman.
- CVE-2022-22243, CVE-2022-22244 XPATH sauya magana ta jsdm/ajax/wizards/setup/setup.php da /modules/monitor/interfaces/interface.php rubutun yana ba da damar ingantaccen mai amfani mara gata don sarrafa zaman gudanarwa.
- CVE-2022-22245 Rashin ingantaccen tsaftar tsarin "..." a cikin hanyoyin da aka sarrafa a cikin rubutun Upload.php yana bawa mai amfani da ingantaccen damar loda fayil ɗin PHP ɗin su zuwa kundin adireshi wanda ke ba da damar aiwatar da rubutun PHP (misali, ta wucewa). hanyar "fileName=\. .\...\...\..\www\dir\new\shell.php").
- CVE-2022-22246 - Yiwuwar aiwatar da fayil ɗin PHP na gida na sabani ta hanyar magudi ta ingantaccen mai amfani da rubutun jrest.php, wanda ake amfani da sigogi na waje don samar da sunan fayil ɗin da aikin "bukatar_once()" ya ɗora (don). misali, "/jrest.php?payload =alol/lol/kowane \...\.. \.. \ .. \ kowane \ file")
source: budenet.ru