ProHoster > ื‘ืœื•ื’ > ื—ื“ืฉื•ืช ื‘ืื™ื ื˜ืจื ื˜ > ืคื’ื™ืขื•ืช ื‘ื—ื‘ื™ืœืช ื”-Node-netmask NPM ื‘ืฉื™ืžื•ืฉ ื‘-270 ืืœืฃ ืคืจื•ื™ืงื˜ื™ื

ืคื’ื™ืขื•ืช ื‘ื—ื‘ื™ืœืช ื”-Node-netmask NPM ื‘ืฉื™ืžื•ืฉ ื‘-270 ืืœืฃ ืคืจื•ื™ืงื˜ื™ื

ืœื—ื‘ื™ืœืช ื”-Node-netmask NPM, ืฉื™ืฉ ืœื” ื›-3 ืžื™ืœื™ื•ืŸ ื”ื•ืจื“ื•ืช ื‘ืฉื‘ื•ืข ื•ืžืฉืžืฉืช ื›ืชืœื•ืช ื‘ื™ื•ืชืจ ืž-270 ืืœืฃ ืคืจื•ื™ืงื˜ื™ื ื‘-GitHub, ื™ืฉื ื” ื ืงื•ื“ืช ืชื•ืจืคื” (CVE-2021-28918) ื”ืžืืคืฉืจืช ืœื” ืœืขืงื•ืฃ ื‘ื“ื™ืงื•ืช ื”ืžืฉืชืžืฉื•ืช ื‘ืžืกื›ืช ื”ืจืฉืช. ื›ื“ื™ ืœืงื‘ื•ืข ืืช ื”ื”ืชืจื—ืฉื•ืช ืœื˜ื•ื•ื—ื™ ื›ืชื•ื‘ืช ืื• ืœืกื™ื ื•ืŸ. ื”ื‘ืขื™ื” ืชื•ืงื ื” ื‘ืžื”ื“ื•ืจื” ืฉืœ node-netmask 2.0.0.

ื”ืคื’ื™ืขื•ืช ืžืืคืฉืจืช ืœื”ืชื™ื™ื—ืก ืœื›ืชื•ื‘ืช IP ื—ื™ืฆื•ื ื™ืช ื›ื›ืชื•ื‘ืช ืžื”ืจืฉืช ื”ืคื ื™ืžื™ืช ื•ืœื”ื™ืคืš, ื•ื‘ื”ื™ื’ื™ื•ืŸ ืžืกื•ื™ื ืฉืœ ืฉื™ืžื•ืฉ ื‘ืžื•ื“ื•ืœ node-netmask ื‘ืืคืœื™ืงืฆื™ื” ืœื‘ื™ืฆื•ืข SSRF (Server-side request forgery), RFI (Remote File Inclusion) ื•-LFI (Local File Inclusion) ื”ืชืงืคื•ืช) ื›ื“ื™ ืœื’ืฉืช ืœืžืฉืื‘ื™ื ื‘ืจืฉืช ื”ืคื ื™ืžื™ืช ื•ืœื›ืœื•ืœ ืงื‘ืฆื™ื ื—ื™ืฆื•ื ื™ื™ื ืื• ืžืงื•ืžื™ื™ื ื‘ืฉืจืฉืจืช ื”ื‘ื™ืฆื•ืข. ื”ื‘ืขื™ื” ื”ื™ื ืฉืœืคื™ ื”ืžืคืจื˜, ืขืจื›ื™ ืžื—ืจื•ื–ืช ื›ืชื•ื‘ืช ืฉืžืชื—ื™ืœื™ื ื‘ืืคืก ืฆืจื™ื›ื™ื ืœื”ืชืคืจืฉ ื›ืžืกืคืจื™ื ืื•ืงื˜ืœื™ื™ื, ืืš ืžื•ื“ื•ืœ ื”ืžืกื›ืช-ื”ืฆื•ืžืช ืœื ืœื•ืงื— ื–ืืช ื‘ื—ืฉื‘ื•ืŸ ื•ืžืชื™ื™ื—ืก ืืœื™ื”ื ื›ืืœ ืžืกืคืจื™ื ืขืฉืจื•ื ื™ื™ื.

ืœื“ื•ื’ืžื”, ืชื•ืงืฃ ื™ื›ื•ืœ ืœื‘ืงืฉ ืžืฉืื‘ ืžืงื•ืžื™ ืขืœ-ื™ื“ื™ ืฆื™ื•ืŸ ื”ืขืจืš "0177.0.0.1", ื”ืชื•ืื ืœ-"127.0.0.1", ืืš ืžื•ื“ื•ืœ ื”-"node-netmask" ื™ืžื—ืง ืืช ื”-null, ื•ื™ืชื™ื™ื—ืก ืœ-0177.0.0.1" ื›-" 177.0.0.1", ืืฉืจ ื‘ืืคืœื™ืงืฆื™ื” ื‘ืขืช ื”ืขืจื›ืช ื›ืœืœื™ ื’ื™ืฉื”, ืœื ื ื™ืชืŸ ื™ื”ื™ื” ืœืงื‘ื•ืข ื–ื”ื•ืช ืขื "127.0.0.1". ื‘ืื•ืคืŸ ื“ื•ืžื”, ืชื•ืงืฃ ื™ื›ื•ืœ ืœืฆื™ื™ืŸ ืืช ื”ื›ืชื•ื‘ืช "0127.0.0.1", ืฉืืžื•ืจื” ืœื”ื™ื•ืช ื–ื”ื” ืœ-"87.0.0.1", ืืš ืชื˜ื•ืคืœ ื›"127.0.0.1" ื‘ืžื•ื“ื•ืœ "ืฆื•ืžืช-ืžืกื›ืช ืจืฉืช". ื‘ืื•ืคืŸ ื“ื•ืžื”, ืืชื” ื™ื›ื•ืœ ืœืจืžื•ืช ืืช ื‘ื“ื™ืงืช ื”ื’ื™ืฉื” ืœื›ืชื•ื‘ื•ืช ืื™ื ื˜ืจื-ื ื˜ ืขืœ ื™ื“ื™ ืฆื™ื•ืŸ ืขืจื›ื™ื ื›ืžื• "012.0.0.1" (ืฉื•ื•ื” ืขืจืš ืœ-"10.0.0.1", ืืš ื™ืขื•ื‘ื“ ื›-12.0.0.1 ื‘ืžื”ืœืš ื”ื‘ื“ื™ืงื”).

ื”ื—ื•ืงืจื™ื ืฉื–ื™ื”ื• ืืช ื”ื‘ืขื™ื” ืžื›ื ื™ื ืืช ื”ื‘ืขื™ื” ืงื˜ืกื˜ืจื•ืคืœื™ืช ื•ืžืกืคืงื™ื ื›ืžื” ืชืจื—ื™ืฉื™ ืชืงื™ืคื”, ืื‘ืœ ืจื•ื‘ื ื ืจืื™ื ืกืคืงื•ืœื˜ื™ื‘ื™ื™ื. ืœื“ื•ื’ืžื”, ื”ื•ื ืžื“ื‘ืจ ืขืœ ื”ืืคืฉืจื•ืช ืœืชืงื•ืฃ ืืคืœื™ืงืฆื™ื” ืžื‘ื•ืกืกืช Node.js ืฉืžืงื™ืžื” ื—ื™ื‘ื•ืจื™ื ื—ื™ืฆื•ื ื™ื™ื ื›ื“ื™ ืœื‘ืงืฉ ืžืฉืื‘ ืขืœ ืกืžืš ื”ืคืจืžื˜ืจื™ื ืื• ื”ื ืชื•ื ื™ื ืฉืœ ื‘ืงืฉืช ื”ืงืœื˜, ืืš ื”ืืคืœื™ืงืฆื™ื” ืื™ื ื” ืžื›ื•ื ื” ืื• ืžืคื•ืจื˜ืช ื‘ืžืคื•ืจืฉ. ื’ื ืื ืชืžืฆืื• ืืคืœื™ืงืฆื™ื•ืช ืฉื˜ื•ืขื ื•ืช ืžืฉืื‘ื™ื ืขืœ ืกืžืš ื›ืชื•ื‘ื•ืช ื”-IP ืฉื”ื•ื–ื ื•, ืœื ืœื’ืžืจื™ ื‘ืจื•ืจ ื›ื™ืฆื“ ื ื™ืชืŸ ืœื ืฆืœ ืืช ื”ืคื’ื™ืขื•ืช ื‘ืคื•ืขืœ ืžื‘ืœื™ ืœื”ืชื—ื‘ืจ ืœืจืฉืช ืžืงื•ืžื™ืช ืื• ืžื‘ืœื™ ืœื”ืฉื™ื’ ืฉืœื™ื˜ื” ืขืœ ื›ืชื•ื‘ื•ืช IP "ืฉื™ืงื•ืฃ".

ื”ื—ื•ืงืจื™ื ืจืง ืžื ื™ื—ื™ื ืฉื‘ืขืœื™ 87.0.0.1 (Telecom Italia) ื•-0177.0.0.1 (Brasil Telecom) ืžืกื•ื’ืœื™ื ืœืขืงื•ืฃ ืืช ื”ื’ื‘ืœืช ื”ื’ื™ืฉื” ืœ-127.0.0.1. ืชืจื—ื™ืฉ ืžืฆื™ืื•ืชื™ ื™ื•ืชืจ ื”ื•ื ืœื ืฆืœ ืืช ื”ืคื’ื™ืขื•ืช ื›ื“ื™ ืœืขืงื•ืฃ ืจืฉื™ืžื•ืช ื—ืกื™ืžื•ืช ืฉื•ื ื•ืช ื‘ืฆื“ ื”ื™ื™ืฉื•ืžื™ื. ื ื™ืชืŸ ืœื”ื—ื™ืœ ืืช ื”ื‘ืขื™ื” ื’ื ืขืœ ืฉื™ืชื•ืฃ ื”ื”ื’ื“ืจื” ืฉืœ ื˜ื•ื•ื—ื™ ืื™ื ื˜ืจืื ื˜ ื‘ืžื•ื“ื•ืœ NPM "private-ip".

ืžืงื•ืจ: OpenNet.ru

ื”ื•ืกืคืช ืชื’ื•ื‘ื”