Kufooka mu laibulale ya PharStreamWrapper kumakhudza Drupal, Joomla ndi Typo3

Mu library Chithunzi cha PharStreamWrapper, yomwe imapatsa othandizira kuti atetezedwe akugwira kuwukira kudzera m'malo mwa fayilo mumtundu wa "Phar", kudziwika kusatetezeka (CVE-2019-11831), zomwe zimakulolani kuti mulambalale chitetezo cha code deerialization posintha zilembo za ".." panjira. Mwachitsanzo, wowukira atha kugwiritsa ntchito ulalo ngati "phar:///path/bad.phar/../good.phar" powukira, ndipo laibulale iwonetsa dzina loyambira "/path/good.phar" pomwe kuyang'ana, ngakhale pakukonzekera kwina kwa njira yotere Fayilo "/path/bad.phar" idzagwiritsidwa ntchito.

Laibulaleyi idapangidwa ndi omwe adapanga CMS TYPO3, komanso imagwiritsidwa ntchito m'mapulojekiti Drupal и Joomla, zomwe zimawapangitsanso kukhala pachiwopsezo. Vutoli lakonzedwa m'mafayilo PharStreamWrapper 2.1.1 ndi 3.1.1. Pulojekiti Drupal Yathetsa vutoli mu zosintha 7.67, 8.6.16 ndi 8.7.1. Joomla Vutoli lakhalapo kuyambira mtundu wa 3.9.3 ndipo linakonzedwa mu kutulutsidwa kwa 3.9.6. Kuti mukonze vutoli mu TYPO3, muyenera kusintha laibulale ya PharStreamWapper.

Kuchokera pamalingaliro othandiza, kufooka kwa PharStreamWapper kumalola wogwiritsa ntchito Drupal Core, yokhala ndi mwayi wa 'Administer theme', imakweza fayilo ya phar yoyipa ndikuyika khodi ya PHP yomwe ili mkati mwake, yobisika ngati archive yovomerezeka ya phar. Monga chikumbutso, kuukira kwa "Phar deserialization" kumagwira ntchito pochotsa metadata kuchokera ku mafayilo a Phar (PHP Archive) poyang'ana mafayilo othandizira omwe adakwezedwa a ntchito ya PHP file_exists() pokonza njira zoyambira ndi "phar://." Kusamutsa fayilo ya phar ngati chithunzi n'kotheka, popeza file_exists() imasankha mtundu wa MIME kutengera zomwe zili mu fayiloyo, osati kukulitsa kwake.

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster