ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Vulnerability nyob rau hauv Apache 2.4.49 http server uas tso cai rau koj kom tau txais cov ntaub ntawv sab nraud ntawm qhov chaw hauv paus

Vulnerability nyob rau hauv Apache 2.4.49 http server uas tso cai rau koj kom tau txais cov ntaub ntawv sab nraud ntawm qhov chaw hauv paus

Kev hloov kho sai rau Apache 2.4.50 http neeg rau zaub mov tau raug tsim, uas tshem tawm qhov kev ua haujlwm tsis zoo 0-hnub uas twb muaj lawm (CVE-2021-41773), uas tso cai rau nkag mus rau cov ntaub ntawv los ntawm thaj chaw sab nraud ntawm lub vev xaib cov npe hauv paus. Siv qhov tsis zoo, nws tuaj yeem rub tawm cov ntaub ntawv tsis raug cai thiab cov ntawv sau ntawm lub vev xaib, nyeem tau los ntawm tus neeg siv raws li tus neeg siv http tau khiav. Cov neeg tsim khoom tau ceeb toom txog qhov teeb meem thaum lub Cuaj Hlis 17, tab sis tuaj yeem tso tawm qhov hloov tshiab tsuas yog hnub no, tom qab cov xwm txheej ntawm qhov tsis zoo siv los tua cov vev xaib raug kaw hauv lub network.

Mitigating qhov txaus ntshai ntawm qhov tsis zoo yog qhov teeb meem tsuas yog tshwm sim hauv qhov nyuam qhuav tso tawm version 2.4.49 thiab tsis cuam tshuam rau txhua qhov kev tshaj tawm ua ntej. Cov ceg ntoo ruaj khov ntawm kev khaws cia cov neeg rau zaub mov tseem tsis tau siv 2.4.49 tso tawm (Debian, RHEL, Ubuntu, SUSE), tab sis qhov teeb meem cuam tshuam tsis tu ncua hloov tshiab faib xws li Fedora, Arch Linux thiab Gentoo, nrog rau cov chaw nres nkoj ntawm FreeBSD.

Qhov tsis zoo no yog vim muaj kab laum qhia thaum lub sijhawm rov sau cov lej rau normalizing txoj hauv kev hauv URIs, vim qhov "% 2e" encoded dot cim hauv txoj kev yuav tsis zoo li qub yog tias nws tau ua ntej los ntawm lwm qhov chaw. Yog li, nws muaj peev xwm hloov cov "../" cov cim rau hauv txoj kev tshwm sim los ntawm kev qhia cov kab ke β€œ.% 2e/” hauv qhov kev thov. Piv txwv li, ib qho kev thov zoo li "https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd" lossis "https://example.com/cgi -bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" tso cai rau koj kom tau txais cov ntsiab lus ntawm cov ntaub ntawv "/etc/passwd".

Qhov teeb meem tsis tshwm sim yog tias nkag mus rau cov ntawv qhia meej meej tsis pom zoo siv qhov "xav tau txhua qhov tsis pom zoo" teeb tsa. Piv txwv li, rau kev tiv thaiv ib nrab koj tuaj yeem hais qhia hauv cov ntaub ntawv teeb tsa: xav kom txhua tus tsis kam lees

Apache httpd 2.4.50 kuj kho lwm qhov tsis zoo (CVE-2021-41524) cuam tshuam rau lub module siv HTTP/2 raws tu qauv. Qhov tsis zoo ua rau nws muaj peev xwm pib qhov tsis muaj qhov taw qhia dereference los ntawm kev xa cov lus thov tshwj xeeb tsim thiab ua rau cov txheej txheem sib tsoo. Qhov tsis zoo no kuj tshwm sim hauv version 2.4.49 nkaus xwb. Raws li kev ruaj ntseg workaround, koj tuaj yeem lov tes taw kev txhawb nqa rau HTTP / 2 raws tu qauv.

Tau qhov twg los: opennet.ru

Ntxiv ib saib