ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > PHP-fpm vulnerability uas tso cai rau cov chaw taws teeb tswj kev ua haujlwm ntawm lub server

PHP-fpm vulnerability uas tso cai rau cov chaw taws teeb tswj kev ua haujlwm ntawm lub server

Muaj kho qhov tso tawm ntawm PHP 7.3.11, 7.1.33 thiab 7.2.24, uas tshem tawm tseem ceeb yooj yim (CVE-2019-11043) nyob rau hauv PHP-FPM (FastCGI Process Manager) txuas ntxiv, uas tso cai rau koj los tswj hwm koj cov cai ntawm qhov system. Txhawm rau tua cov servers uas siv PHP-FPM ua ke nrog Nginx los khiav PHP scripts, nws twb muaj rau pej xeem. tus neeg ua haujlwm siv.

Kev tawm tsam yog ua tau nyob rau hauv nginx configurations nyob rau hauv uas xa mus rau PHP-FPM yog ua los ntawm kev sib cais qhov chaw ntawm lub URL siv "fastcgi_split_path_info" thiab txhais cov PATH_INFO ib puag ncig kuj sib txawv, tab sis tsis tau thawj zaug kuaj lub hav zoov ntawm cov ntaub ntawv siv "try_files $fastcgi_script_name" cov lus qhia lossis "yog tias (!-f $) document_root$fastcgi_script_name)". Qhov teeb meem kuj yog tshwm hauv cov chaw muab rau NextCloud platform. Piv txwv li, configurations nrog cov qauv xws li:

qhov chaw ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}

Koj tuaj yeem taug qab qhov kev daws teeb meem hauv cov khoom siv faib khoom ntawm nplooj ntawv no: Debian, RHEL, Ubuntu, SUSE/openSUSE, FreeBSD, Koov, Fedora. Raws li kev daws teeb meem, koj tuaj yeem ntxiv daim tshev rau qhov muaj nyob ntawm cov ntawv thov PHP tom qab "fastcgi_split_path_info" kab:

try_files $fastcgi_script_name = 404;

Qhov teeb meem yog tshwm sim los ntawm ib qho kev ua yuam kev thaum manipulating pointers nyob rau hauv ib cov ntaub ntawv sapi/fpm/fpm/fpm_main.c. Thaum muab tus taw tes, nws xav tias tus nqi ntawm PATH_INFO ib puag ncig hloov pauv yuav tsum muaj cov lus ua ntej uas phim txoj hauv kev rau PHP tsab ntawv.
Yog hais tias cov lus qhia fastcgi_split_path_info qhia txog kev faib cov ntawv txoj kev siv cov kab lus tshiab-sensitive tsis tu ncua (piv txwv li, ntau cov piv txwv qhia siv "^.+?\.php)(/.*)$"), ces tus neeg tawm tsam tuaj yeem xyuas kom meej tias qhov tus nqi khoob yog sau rau PATH_INFO ib puag ncig hloov pauv. Hauv qhov no, ntxiv nrog rau kev ua tiav nqa tawm sau path_info[0] mus rau xoom thiab hu rau FCGI_PUTENV.

Los ntawm kev thov ib qho URL formatted nyob rau hauv ib txoj kev, tus neeg tawm tsam tuaj yeem ua tiav qhov hloov pauv ntawm path_info pointer mus rau thawj byte ntawm "_fcgi_data_seg" qauv, thiab sau tus lej xoom rau cov byte no yuav ua rau lub zog ntawm "char * pos" taw tes rau thaj chaw nco yav dhau los. Tom ntej no hu ua FCGI_PUTENV yuav overwrite cov ntaub ntawv nyob rau hauv lub cim xeeb no nrog tus nqi uas tus attacker tswj tau. Lub cim xeeb tau teev tseg tseem khaws cov txiaj ntsig ntawm lwm qhov sib txawv FastCGI, thiab los ntawm kev sau lawv cov ntaub ntawv, tus neeg tawm tsam tuaj yeem tsim qhov tsis tseeb PHP_VALUE sib txawv thiab ua tiav lawv cov cai.

Tau qhov twg los: opennet.ru

Ntxiv ib saib