tso tawm web content management system . Qhov kev tso tawm yog qhov tseem ceeb rau nws ua tiav ntawm kev siv tshawb xyuas cov kev hloov tshiab thiab ntxiv uas siv cov kos npe digital.
Txog rau tam sim no, thaum txhim kho cov hloov tshiab hauv WordPress, qhov tseem ceeb ntawm kev ruaj ntseg yog kev ntseeg siab hauv WordPress infrastructure thiab servers (tom qab rub tawm, lub hash raug kuaj xyuas yam tsis tau txheeb xyuas qhov chaw). Yog tias qhov project servers raug cuam tshuam, cov neeg tawm tsam tuaj yeem spoof qhov hloov tshiab thiab faib cov lej tsis zoo ntawm WordPress-raws li qhov chaw uas siv qhov kev hloov kho tsis siv neeg nruab. Raws li cov qauv kev ntseeg tau siv yav dhau los, qhov kev hloov pauv no yuav ploj mus tsis pom ntawm cov neeg siv khoom.
Noj mus rau hauv tus account lub fact tias ntawm w3techs qhov project, WordPress platform yog siv rau 33.8% ntawm cov chaw hauv lub network, qhov xwm txheej yuav tshwm sim ntawm qhov ntsuas ntawm kev puas tsuaj. Nyob rau tib lub sijhawm, kev txaus ntshai ntawm kev cuam tshuam hauv vaj tse tsis yog kev xav, tab sis tiag tiag. Piv txwv li, ob peb xyoos dhau los ib tus kws tshawb fawb txog kev ruaj ntseg ib qho kev tsis txaus ntseeg uas tso cai rau tus neeg tawm tsam los tua nws cov cai ntawm server sab ntawm api.wordpress.org.
Nyob rau hauv cov ntaub ntawv ntawm kev kos npe digital, tau txais kev tswj hwm ntawm qhov hloov tshiab faib neeg rau zaub mov yuav tsis ua rau muaj kev cuam tshuam ntawm cov neeg siv cov tshuab, txij li txhawm rau ua kom muaj kev tawm tsam, koj tseem yuav tau txais ib qho tseem ceeb khaws cia cais, nrog rau qhov hloov tshiab tau kos npe.
Qhov kev siv ntawm kev tshuaj xyuas qhov chaw ntawm kev hloov kho tshiab siv tus lej kos npe tau cuam tshuam los ntawm qhov tseeb tias kev txhawb nqa rau qhov tsim nyog cryptographic algorithms tau tshwm sim hauv tus qauv PHP pob kuj tsis ntev los no. Qhov tsim nyog cryptographic algorithms tshwm sim ua tsaug rau kev koom ua ke ntawm lub tsev qiv ntawv mus rau lub ntsiab pab neeg . Tab sis raws li qhov tsawg kawg nkaus txhawb nqa ntawm PHP hauv WordPress tso tawm 5.2.4 (los ntawm WordPress 5.2 - 5.6.20). Kev txhawb nqa rau kev kos npe digital yuav ua rau muaj kev nce ntxiv hauv qhov yuav tsum tau ua rau qhov tsawg kawg nkaus txhawb nqa ntawm PHP lossis qhov sib ntxiv ntawm kev vam khom sab nraud, uas cov neeg tsim khoom tsis tuaj yeem ua rau qhov muaj ntau ntawm PHP versions hauv hosting systems.
Qhov kev daws teeb meem yog thiab suav nrog kev sib cog lus ntawm Libsodium hauv WordPress 5.2 - , nyob rau hauv uas qhov tsawg kawg nkaus ntawm algorithms rau kev txheeb xyuas cov kos npe digital yog siv hauv PHP. Qhov kev siv tawm ntau yam uas xav tau los ntawm kev ua tau zoo, tab sis ua kom daws tau qhov teeb meem kev sib raug zoo, thiab tseem tso cai rau cov neeg tsim tawm plugin pib siv cov cryptographic algorithms niaj hnub no.
Ib qho algorithm yog siv los tsim cov kos npe digital , tsim nrog kev koom tes ntawm Daniel J. Bernstein. Daim ntawv kos npe digital yog tsim rau SHA384 hash tus nqi suav los ntawm cov ntsiab lus ntawm cov ntaub ntawv hloov tshiab. Ed25519 muaj kev ruaj ntseg ntau dua li ECDSA thiab DSA, thiab ua kom pom kev nrawm heev ntawm kev txheeb xyuas thiab kos npe tsim. Qhov kev tiv thaiv rau kev nyiag nkas rau Ed25519 yog li 2^128 (qhov nruab nrab, qhov kev tawm tsam ntawm Ed25519 yuav xav tau 2^140 me ntsis kev ua haujlwm), uas sib haum rau qhov kev tawm tsam ntawm algorithms xws li NIST P-256 thiab RSA nrog qhov loj me ntawm 3000 khoom. los yog 128-ntsis thaiv cipher. Ed25519 kuj tsis cuam tshuam rau cov teeb meem nrog kev sib tsoo hash, thiab tsis cuam tshuam rau cache-time tawm tsam lossis sab-channel tawm tsam.
Nyob rau hauv WordPress 5.2 tso tawm, kev txheeb xyuas qhov kos npe digital tam sim no tsuas yog suav nrog kev hloov kho lub platform loj thiab tsis thaiv qhov hloov tshiab los ntawm lub neej ntawd, tab sis tsuas yog qhia rau tus neeg siv txog qhov teeb meem. Nws tau txiav txim siab tsis ua kom lub neej ntawd thaiv tam sim ntawd vim xav tau kev kuaj xyuas tag nrho thiab hla . Nyob rau hauv lub neej yav tom ntej, nws tseem npaj yuav ntxiv cov ntawv pov thawj digital kos npe los txheeb xyuas qhov chaw ntawm kev teeb tsa ntawm cov ntsiab lus thiab plugins (cov chaw tsim khoom yuav tuaj yeem kos npe tawm nrog lawv qhov tseem ceeb).
Ntxiv rau kev txhawb nqa rau kev kos npe digital hauv WordPress 5.2, cov kev hloov pauv hauv qab no tuaj yeem raug sau tseg:
- Ob nplooj ntawv tshiab tau ntxiv rau "Site Health" ntu rau kev debugging cov teeb meem kev teeb tsa, thiab ib daim ntawv kuj tau muab los ntawm cov neeg tsim khoom tuaj yeem tawm cov ntaub ntawv debugging rau cov thawj coj hauv chaw;
- Ntxiv kev siv ntawm "dawb tshuaj ntsuam ntawm kev tuag", tso tawm nyob rau hauv cov ntaub ntawv ntawm cov teeb meem tuag taus thiab pab tus thawj tswj kom nws tus kheej kho cov teeb meem cuam tshuam nrog plugins los yog cov ntsiab lus los ntawm kev hloov mus rau ib tug tshwj xeeb kev sib tsoo hom rov qab;
- Lub kaw lus rau kev tshuaj xyuas kev sib raug zoo nrog plugins tau raug coj los siv, uas tuaj yeem kuaj xyuas qhov ua tau ntawm kev siv lub plugin hauv kev teeb tsa tam sim no, suav nrog cov qauv ntawm PHP siv. Yog tias lub plugin xav tau qhov tshiab dua ntawm PHP ua haujlwm, lub kaw lus yuav cia li thaiv qhov suav nrog cov plugin no;
- Ntxiv kev txhawb nqa rau kev qhib cov modules nrog JavaScript code siv ΠΈ ;
- Ntxiv ib tus tshiab privacy-policy.php template uas tso cai rau koj los kho cov ntsiab lus ntawm nplooj ntawv txoj cai ntiag tug;
- Rau cov ntsiab lus, tus wp_body_open nuv handler tau ntxiv lawm, tso cai rau koj ntxig code tam sim ntawd tom qab lub cev tag;
- Cov kev xav tau rau qhov tsawg kawg nkaus version ntawm PHP tau raug tsa mus rau 5.6.20; plugins thiab cov ntsiab lus tam sim no muaj peev xwm siv cov npe thiab cov haujlwm tsis qhia npe;
- Ntxiv 13 lub cim tshiab.
Tsis tas li ntawd, koj tuaj yeem hais Qhov tsis zoo tseem ceeb hauv WordPress plugin (CVE-2019-11185). Qhov tsis txaus ntseeg tso cai rau PHP code arbitrary ua rau ntawm lub server. Lub plugin yog siv rau ntau tshaj 27 txhiab qhov chaw los teeb tsa kev sib tham sib tham nrog tus qhua, suav nrog ntawm cov chaw ntawm cov tuam txhab xws li IKEA, Adobe, Huawei, PayPal, Tele2 thiab McDonald's (Kev Sib Tham Nyob Hauv feem ntau yog siv los ua kom muaj kev ntxhov siab. chats ntawm lub tuam txhab chaw nrog kev sib tham nrog tus neeg ua haujlwm).
Qhov teeb meem manifests nws tus kheej nyob rau hauv cov cai rau uploading cov ntaub ntawv rau tus neeg rau zaub mov thiab tso cai rau koj mus bypass lub check cov ntaub ntawv siv tau hom thiab upload ib tug PHP tsab ntawv mus rau lub server, thiab ces coj nws ncaj qha los ntawm lub web. Qhov zoo siab, xyoo tas los muaj qhov tsis zoo sib xws twb tau txheeb xyuas nyob rau hauv Kev Sib Tham Sib Tham (CVE-2018-12426), uas tso cai rau kev thauj khoom PHP code raws li kev kos duab ntawm cov duab, qhia txog cov ntsiab lus sib txawv hauv cov ntsiab lus hom. Raws li ib feem ntawm kev txhim kho, kev kuaj xyuas ntxiv tau ntxiv rau cov npe dawb thiab MIME cov ntsiab lus hom. Raws li nws hloov tawm, cov kev txheeb xyuas no tau siv tsis raug thiab tuaj yeem hla tau yooj yim.
Tshwj xeeb, ncaj qha uploading ntawm cov ntaub ntawv nrog ".php" txuas ntxiv yog txwv tsis pub, tab sis ".phtml" txuas ntxiv, uas cuam tshuam nrog tus neeg txhais lus PHP ntawm ntau lub servers, tsis tau ntxiv rau hauv blacklist. Daim ntawv teev npe dawb tsuas yog tso cai rau cov duab uploads, tab sis koj tuaj yeem hla nws los ntawm kev qhia txog ob qhov txuas ntxiv, piv txwv li, β.gif.phtmlβ. Txhawm rau hla MIME hom kos thaum pib ntawm cov ntaub ntawv, ua ntej qhib lub cim nrog PHP code, nws txaus los qhia cov kab "GIF89a".
Tau qhov twg los: opennet.ru