Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Chiwopsezo mu seva ya Apache 2.4.49 http yomwe imakulolani kuti mulandire mafayilo kunja kwa mizu

Chiwopsezo mu seva ya Apache 2.4.49 http yomwe imakulolani kuti mulandire mafayilo kunja kwa mizu

Kusintha kwachangu kwa seva ya Apache 2.4.50 http kwapangidwa, komwe kumachotsa chiwopsezo chamasiku 0 (CVE-2021-41773) chomwe chimagwiritsidwa ntchito kale, chomwe chimalola mwayi wofikira mafayilo kuchokera kumadera omwe ali kunja kwa chikwatu chatsambali. Pogwiritsa ntchito chiwopsezo, ndizotheka kutsitsa mafayilo amachitidwe osagwirizana ndi zolemba zapaintaneti, zowerengedwa ndi wogwiritsa ntchito yemwe seva ya http ikugwira ntchito. Madivelopa adadziwitsidwa za vutoli pa Seputembara 17, koma adatha kumasula zosinthazo lero, pambuyo poti milandu yachiwopsezo yomwe imagwiritsidwa ntchito kuukira mawebusayiti idalembedwa pa intaneti.

Kuchepetsa kuopsa kwa chiwopsezo ndikuti vuto limangowonekera mu mtundu waposachedwa wa 2.4.49 ndipo silikhudza kutulutsa konse koyambirira. Nthambi zokhazikika zamagawidwe a seva okhazikika sanagwiritsebe ntchito kutulutsidwa kwa 2.4.49 (Debian, RHEL, Ubuntu, SUSE), koma vuto lidakhudza magawo osinthidwa mosalekeza monga Fedora, Arch Linux ndi Gentoo, komanso madoko a FreeBSD.

Kusatetezekaku kudachitika chifukwa cha cholakwika chomwe chidayambika polembanso kachidindo kosintha njira mu URIs, chifukwa chomwe "%2e" kadontho kadontho kamene kamakhala m'njira sikadasinthidwa ngati kadatsogolere kadontho kena. Chifukwa chake, zinali zotheka kusintha zilembo za "../" zosaphika m'njira yotsatiridwayo pofotokoza motsatira ".%2e/" mu pempho. Mwachitsanzo, pempho ngati "https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd" kapena "https://example.com/cgi -bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" amakulolani kuti mupeze zomwe zili mu fayilo "/etc/passwd".

Vuto silimachitika ngati mwayi wopita kumakanema ukakanidwa mwachindunji pogwiritsa ntchito "mafunika onse akanidwa". Mwachitsanzo, kuti muteteze pang'ono mutha kufotokozera mufayilo yosinthira: amafuna zonse zikanidwa

Apache httpd 2.4.50 imakonzanso chiwopsezo china (CVE-2021-41524) chokhudza gawo lomwe likukhazikitsa HTTP/2 protocol. Kusatetezekako kudapangitsa kuti zitheke kuyambitsa kuyika kwa null pointer potumiza pempho lopangidwa mwapadera ndikupangitsa kuti ntchitoyi iwonongeke. Kusatetezeka uku kumawonekeranso mu mtundu wa 2.4.49. Monga njira yachitetezo, mutha kuletsa kuthandizira kwa protocol ya HTTP/2.

Source: opennet.ru

Kuwonjezera ndemanga