Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kwa WordPress 5.2 ndi chithandizo chowunikira zosintha ndi siginecha ya digito

Kutulutsidwa kwa WordPress 5.2 ndi chithandizo chowunikira zosintha ndi siginecha ya digito

Yovomerezedwa ndi kutulutsidwa kwa kasamalidwe kazinthu zapaintaneti WordPress 5.2. Kutulutsidwa ndikodziwika pakumalizidwa kwake zaka zisanu ndi chimodzi epic pa kukhazikitsa mipata kuyang'ana zosintha ndi zowonjezera pogwiritsa ntchito siginecha ya digito.

Mpaka pano, pakuyika zosintha mu WordPress, chinthu chachikulu chachitetezo chinali kudalira zida za WordPress ndi maseva (pambuyo potsitsa, hashi idafufuzidwa popanda kutsimikizira komwe idachokera). Ngati ma seva a pulojekitiyo asokonezedwa, owukirawo adatha kusokoneza zosintha ndikugawa ma code oyipa pakati pa masamba a WordPress omwe amagwiritsa ntchito makina osinthira okha. Mogwirizana ndi njira yoperekera trust yomwe idagwiritsidwa ntchito m'mbuyomu, kusintha koteroko sikukadazindikirika kumbali ya ogwiritsa ntchito.

Poganizira mfundo yakuti zoperekedwa za polojekiti ya w3techs, nsanja ya WordPress imagwiritsidwa ntchito pa 33.8% yamasamba pamaneti, chochitikacho chikadatengera kuchuluka kwa tsoka. Panthawi imodzimodziyo, chiopsezo cha kuwonongeka kwa zomangamanga sichinali chongopeka, koma chenicheni. Mwachitsanzo, zaka zingapo zapitazo mmodzi wa ofufuza chitetezo anasonyeza kusatetezeka komwe kunalola wowukira kuti apereke khodi yake kumbali ya seva ya api.wordpress.org.

Ngati siginecha ya digito ikugwiritsidwa ntchito, kuwongolera seva yogawa zosintha sikungabweretse kusokoneza machitidwe a ogwiritsa ntchito, chifukwa kuti muwononge mudzafunikanso kupeza kiyi yachinsinsi yosungidwa padera, yomwe imagwiritsidwa ntchito kusaina zosintha.

Kukhazikitsa koyang'ana komwe kumachokera zosintha pogwiritsa ntchito siginecha ya digito kudalephereka chifukwa chothandizira ma algorithms ofunikira a cryptographic adawonekera mu phukusi lokhazikika la PHP posachedwa. Ma algorithms ofunikira a cryptographic adawonekera chifukwa chophatikiza laibulale Libsodium ku timu yayikulu PHP 7.2. Koma monga mtundu wocheperako wothandizidwa wa PHP mu WordPress adalengeza kumasula 5.2.4 (kuchokera ku WordPress 5.2 - 5.6.20). Kuthandizira kuthandizira siginecha za digito kungapangitse kuwonjezeka kwakukulu kwa zofunikira za mtundu wocheperako wothandizidwa wa PHP kapena kuwonjezera kudalira kwakunja, zomwe opanga sakanatha kuchita chifukwa cha kuchuluka kwa mitundu ya PHP pamakina ochitira.

Yankho lake linali chitukuko ndikuphatikizidwa kwa mtundu wophatikizika wa Libsodium mu WordPress 5.2 - Sodium Compat, momwe ma algorithms ochepa otsimikizira siginecha ya digito amakhazikitsidwa mu PHP. Kukhazikitsa kumasiya kufunidwa kwambiri potengera magwiridwe antchito, koma kumathetsa vuto lofananira, komanso kumalola opanga mapulagini kuti ayambe kugwiritsa ntchito ma algorithms amakono a cryptographic.

Algorithm imagwiritsidwa ntchito kupanga ma signature a digito Ed25519, yopangidwa ndi Daniel J. Bernstein. Siginecha ya digito imapangidwa pamtengo wa SHA384 hashi wowerengedwa kuchokera pazomwe zili munkhokwe yosinthidwa. Ed25519 ili ndi mulingo wapamwamba kwambiri wachitetezo kuposa ECDSA ndi DSA, ndipo ikuwonetsa kuthamanga kwambiri pakutsimikizira ndi kupanga siginecha. Kukaniza kwa kubera kwa Ed25519 kuli pafupifupi 2 ^ 128 (pafupifupi, kuwukira kwa Ed25519 kudzafuna 2 ^ 140 ntchito pang'ono), zomwe zimagwirizana ndi kukana kwa ma aligorivimu monga NIST P-256 ndi RSA yokhala ndi kukula kofunikira kwa 3000 bits. kapena 128-bit block cipher. Ed25519 nawonso satengeka ndi vuto la kugunda kwa hashi, ndipo samakhudzidwa ndi kuukira kwa nthawi ya cache ndi kuwukira kwapambali.

Mu kutulutsidwa kwa WordPress 5.2, kutsimikizira siginecha ya digito pakali pano kumangokhudza zosintha zazikulu zamapulatifomu ndipo sikuletsa zosinthazo mwachisawawa, koma zimangodziwitsa wogwiritsa za vutoli. Anaganiza kuti asalole kutsekereza kosasintha nthawi yomweyo chifukwa chofuna cheke chathunthu ndikulambalala mavuto zotheka. M'tsogolomu, ikukonzekeranso kuwonjezera chitsimikiziro cha siginecha ya digito kuti zitsimikizire gwero la kukhazikitsa mitu ndi mapulagini (opanga azitha kusaina zotulutsidwa ndi kiyi yawo).

Kuphatikiza pakuthandizira ma signature a digito mu WordPress 5.2, zosintha zotsatirazi zitha kudziwika:

  • Masamba awiri atsopano awonjezedwa ku gawo la "Site Health" kuti athetse mavuto omwe amachitika kawirikawiri, ndipo mawonekedwe aperekedwanso kudzera mwa omwe okonza mapulogalamu angathe kusiya chidziwitso chosokoneza kwa oyang'anira malo;
  • Kukhazikitsa kowonjezera kwa "chinsalu choyera cha imfa", chowonetsedwa pakagwa mavuto akupha ndikuthandizira woyang'anira kuti akonzere yekha mavuto okhudzana ndi mapulagini kapena mitu posinthira ku njira yapadera yochira kuwonongeka;
  • Dongosolo loyang'ana kuti likugwirizana ndi mapulagini akhazikitsidwa, omwe amangoyang'ana mwayi wogwiritsa ntchito plugin mu kasinthidwe kameneka, poganizira mtundu wa PHP womwe wagwiritsidwa ntchito. Ngati pulogalamu yowonjezera imafuna mtundu watsopano wa PHP kuti ugwire ntchito, dongosololi lidzalepheretsa kuphatikizidwa kwa plugin iyi;
  • Thandizo lowonjezera lothandizira ma module okhala ndi JavaScript code pogwiritsa ntchito tsamba lawebusayiti ΠΈ Babele;
  • Anawonjezera template yatsopano yachinsinsi-policy.php yomwe imakulolani kuti musinthe zomwe zili patsamba lachinsinsi;
  • Pamitu, wp_body_open hook handler yawonjezedwa, kukulolani kuti muyike kachidindo mwamsanga pambuyo pa chizindikiro cha thupi;
  • Zofunikira za mtundu wocheperako wa PHP zakwezedwa ku 5.6.20; mapulagini ndi mitu tsopano ali ndi kuthekera kogwiritsa ntchito mayina ndi ntchito zosadziwika;
  • Adawonjezera zithunzi 13 zatsopano.

Kuwonjezera apo, mukhoza kutchula kuzindikira chiopsezo chachikulu mu WordPress plugin WP Live Chat (CVE-2019-11185). Chiwopsezocho chimalola ma code a PHP kuti asungidwe pa seva. Pulagiyi imagwiritsidwa ntchito pamasamba opitilira 27 kupanga macheza ochezera ndi mlendo, kuphatikiza patsamba lamakampani monga IKEA, Adobe, Huawei, PayPal, Tele2 ndi McDonald's (Live Chat nthawi zambiri imagwiritsidwa ntchito kukhazikitsa zokhumudwitsa za pop-up. macheza pamasamba akampani okhala ndi zotsatsa amacheza ndi wogwira ntchito).

Vutoli limawonekera mu kachidindo kokweza mafayilo ku seva ndikukulolani kuti mudutse cheke chamitundu yovomerezeka ya mafayilo ndikuyika zolemba za PHP ku seva, kenako ndikuzichita mwachindunji kudzera pa intaneti. Chosangalatsa ndichakuti, chaka chatha chiwopsezo chofananira chidadziwika kale mu Live Chat (CVE-2018-12426), zomwe zidalola kutsitsa ma code a PHP mongoyerekeza ndi chithunzi, kufotokozera zamtundu wina wamtundu wa Content-type. Monga gawo la kukonza, macheke owonjezera awonjezedwa pa zoyera komanso zamtundu wa MIME. Zotsatira zake, macheke awa amachitidwa molakwika ndipo amatha kulambalala mosavuta.

Makamaka, kuyika kwachindunji kwa mafayilo ndi ".php" yowonjezera ndi yoletsedwa, koma ".phtml" yowonjezera, yomwe imagwirizanitsidwa ndi womasulira PHP pa ma seva ambiri, sanawonjezedwe ku mndandanda wakuda. Oyera amalola kuti zithunzi zikwezedwe, koma mutha kuzilambalala potchula zowonjezera, mwachitsanzo, ".gif.phtml". Kuti mudutse cheke chamtundu wa MIME koyambirira kwa fayilo, musanatsegule tag ndi PHP code, zinali zokwanira kutchula mzere "GIF89a".

Source: opennet.ru

Kuwonjezera ndemanga