Mu WordPress plugin ndi makhazikitsidwe opitilira 700, chiwopsezo chomwe chimalola kuti malamulo osasintha ndi zolemba za PHP zichitike pa seva. Nkhaniyi ikuwoneka mu File Manager imatulutsa 6.0 mpaka 6.8 ndipo yathetsedwa pakumasulidwa 6.9.
Pulogalamu yowonjezera ya File Manager imapereka zida zowongolera mafayilo kwa woyang'anira WordPress, pogwiritsa ntchito laibulale yophatikizidwa pakuwongolera mafayilo otsika. . Khodi yochokera ku laibulale ya elFinder ili ndi mafayilo okhala ndi zitsanzo zamakhodi, omwe amaperekedwa mu bukhu logwirira ntchito ndi kuwonjezera ".dist". Chiwopsezocho chimayamba chifukwa chakuti laibulaleyo itatumizidwa, fayilo "connector.minimal.php.dist" inasinthidwa kukhala "connector.minimal.php" ndipo inapezeka kuti iwonongeke potumiza zopempha zakunja. Zolemba zomwe zatchulidwazi zimakulolani kuchita ntchito iliyonse ndi mafayilo (kukweza, kutsegula, mkonzi, kusinthanso, rm, etc.), popeza magawo ake amaperekedwa ku run() ntchito ya pulogalamu yowonjezera, yomwe ingagwiritsidwe ntchito kusintha mafayilo a PHP. mu WordPress ndikuyendetsa ma code osasintha.
Chomwe chikupangitsa kuti chiwopsezocho chiwonjezeke ndikuti kusatetezeka kuli kale kuchita ziwopsezo zokha, pomwe chithunzi chokhala ndi nambala ya PHP chimatsitsidwa ku "plugins/wp-file-manager/lib/files/" pogwiritsa ntchito lamulo la "upload", lomwe limasinthidwa kukhala PHP script yomwe dzina lake ndi. osankhidwa mwachisawawa ndipo ali ndi mawu akuti "zovuta" kapena "x.", mwachitsanzo, hardfork.php, hardfind.php, x.php, etc.). Akaphedwa, PHP code imawonjezera kumbuyo kwa /wp-admin/admin-ajax.php ndi /wp-includes/user.php mafayilo, kupatsa owukira mwayi wogwiritsa ntchito mawonekedwe a woyang'anira malo. Ntchitoyi ikuchitika potumiza pempho la POST ku fayilo "wp-file-manager/lib/php/connector.minimal.php".
Ndizodabwitsa kuti pambuyo pa kuthyolako, kuphatikizapo kuchoka kumbuyo, kusintha kumapangidwa kuti ateteze mafoni ena ku fayilo ya connector.minimal.php, yomwe ili ndi chiwopsezo, kuti aletse kuthekera kwa ena omwe akuukira seva.
Kuyesa koyamba kudapezeka pa Seputembara 1 pa 7 am (UTC). MU
12:33 (UTC) opanga pulogalamu yowonjezera ya File Manager atulutsa chigamba. Malinga ndi kampani ya Wordfence yomwe idazindikira kuti ili pachiwopsezo, firewall yawo idatseka pafupifupi 450 kuyesa kugwiritsa ntchito chiwopsezochi patsiku. Kujambula pamaneti kunawonetsa kuti 52% yamasamba omwe amagwiritsa ntchito pulogalamu yowonjezerayi sanasinthidwebe ndipo amakhala pachiwopsezo. Pambuyo pokhazikitsa ndondomekoyi, ndizomveka kuyang'ana http seva lolemba kuti muyitane ku "connector.minimal.php" script kuti mudziwe ngati dongosolo lasokonezedwa.
Kuphatikiza apo, mutha kuzindikira kumasulidwa kowongolera amene anapempha .
Source: opennet.ru