Nyob rau hauv qhov project ciam teb ib qho kev sib txuas rau PHP7 tus neeg txhais lus, tsim los txhim kho kev ruaj ntseg ntawm ib puag ncig thiab thaiv cov kev ua yuam kev uas ua rau muaj qhov tsis zoo hauv kev siv PHP. Lub module kuj tso cai rau koj los tsim cov thaj ua rau thaj virtual los kho cov teeb meem tshwj xeeb yam tsis hloov pauv qhov chaws ntawm daim ntawv thov tsis zoo, uas yooj yim rau siv hauv huab hwm coj hosting systems uas nws tsis tuaj yeem khaws tag nrho cov neeg siv daim ntawv thov mus txog hnub tim. Lub module yog sau nyob rau hauv C, yog kev cob cog rua nyob rau hauv daim ntawv ntawm ib tug sib koom tsev qiv ntawv ("extension = snuffleupagus.so" nyob rau hauv php.ini) thiab muaj ntawv tso cai raws li LGPL 3.0.
Snuffleupagus muab cov kev cai tswjfwm uas tso cai rau koj siv cov qauv tsim los txhim kho kev ruaj ntseg, lossis tsim koj tus kheej cov cai los tswj cov ntaub ntawv nkag thiab cov haujlwm tsis ua haujlwm. Piv txwv li, txoj cai βsp.disable_function.function(βsystemβ).param(βcommandβ).value_r(β[$|;&`\\n]β).drop();β tso cai rau koj txwv tsis pub siv cov cim tshwj xeeb hauv qhov system() cov lus sib cav ua haujlwm yam tsis hloov daim ntawv thov. Ib yam li ntawd, koj tuaj yeem tsim los thaiv kev paub tsis meej.
Kev txiav txim los ntawm cov kev ntsuam xyuas ua los ntawm cov neeg tsim khoom, Snuffleupagus tsis tshua muaj kev ua haujlwm. Txhawm rau kom ntseeg tau nws tus kheej kev ruaj ntseg (qhov muaj peev xwm ua rau muaj qhov tsis zoo hauv cov txheej txheem kev ruaj ntseg tuaj yeem ua tus vector ntxiv rau kev tawm tsam), qhov project siv cov kev ntsuam xyuas zoo ntawm txhua qhov kev cog lus hauv kev faib khoom sib txawv, siv cov kev tshuaj ntsuam xyuas zoo li qub, thiab cov cai yog formatted thiab sau cia kom yooj yim rau kev soj ntsuam.
Built-in txoj kev yog muab los thaiv cov chav kawm ntawm qhov tsis zoo xws li teeb meem, nrog cov ntaub ntawv serialization, siv PHP mail() muaj nuj nqi, xau ntawm ncuav qab zib ntsiab lus thaum lub sij hawm XSS tawm tsam, teeb meem vim loading cov ntaub ntawv nrog executable code (piv txwv li, nyob rau hauv hom ), tsis zoo random naj npawb tiam thiab tsis raug XML tsim.
Cov qauv hauv qab no tau txais kev txhawb nqa los txhim kho PHP kev ruaj ntseg:
- Yuav ua kom "kev ruaj ntseg" thiab "samesite" (CSRF tiv thaiv) chij rau ncuav qab zib, ncuav qab zib;
- Built-in cov cai los txheeb xyuas cov kab ntawm kev tawm tsam thiab kev cuam tshuam ntawm kev siv;
- Forced thoob ntiaj teb ua kom "" (piv txwv li, thaiv qhov kev sim qhia ib txoj hlua thaum xav tau tus lej suav raws li kev sib cav) thiab tiv thaiv ;
- Thaiv los ntawm lub neej ntawd (piv txwv li, txwv tsis pub "phar://") nrog lawv cov npe dawb;
- Kev txwv tsis pub ua cov ntaub ntawv uas sau tau;
- Cov npe dub thiab dawb rau kev ntsuam xyuas;
- Yuav tsum tau qhib TLS daim ntawv pov thawj tshawb xyuas thaum siv
curl; - Ntxiv HMAC rau serialized khoom los xyuas kom meej tias deserialization retrieves cov ntaub ntawv khaws cia los ntawm thawj daim ntawv thov;
- Thov nkag hom;
- Thaiv kev thauj khoom ntawm cov ntaub ntawv sab nraud hauv libxml ntawm kev sib txuas hauv XML cov ntaub ntawv;
- Muaj peev xwm txuas rau lwm tus neeg tuav haujlwm (upload_validation) los xyuas thiab luam theej duab cov ntaub ntawv upload;
Qhov project tau tsim thiab siv los tiv thaiv cov neeg siv hauv kev tsim kho vaj tse ntawm ib qho ntawm cov tswv lag luam loj hauv Fabkis. uas yooj yim txuas Snuffleupagus yuav tiv thaiv ntau qhov txaus ntshai qhov tsis zoo uas tau txheeb xyuas xyoo no hauv Drupal, WordPress thiab phpBB. Vulnerabilities hauv Magento thiab Horde tuaj yeem raug thaiv los ntawm kev ua haujlwm rau hom
"sp.readonly_exec.enable()".
Tau qhov twg los: opennet.ru