ProHoster > Blog > internet nhau > Kutorwa kutonga kwe14 PHP maraibhurari muPackagist repository

Kutorwa kutonga kwe14 PHP maraibhurari muPackagist repository

Vatungamiri vePackagist package repository vakaburitsa ruzivo rwekurwiswa kwakatora kutonga maakaundi evachengeti vemaraibhurari gumi nemana PHP, kusanganisira mapakeji akakurumbira seye instantiator (14 miriyoni kumisikidzwa pamwe chete, 526 miriyoni kumisikidzwa pamwedzi, 8 inotsamira mapakeji), sql. -formatter (323M kuiswa kwakazara, 94K mumwedzi, 800 inotsamira mapakeji), dzidziso-cache-bundle (109M yakazara, 73K mumwedzi, 500 inotsamira mapakeji) uye rcode-detector-decoder (348M kuisirwa yakazara, mazana mana zviuru pamwedzi, 20 inotsamira mapakeji).

Mushure mokunge maakaunti akanganiswa, murwi akashandura composer.json file, achiwedzera kumunda wekutsanangura purojekiti ruzivo rwaaitsvaga basa rine chokuita nekuchengetedzwa kwemashoko. Kuti uite shanduko kune composer.json faira, munhu akarwisa akatsiva maURL ezvinyorwa zvepakutanga nezvinongedzo kune maforogo akagadziridzwa (Packagist inopa chete metadata ine zvinongedzo kune mapurojekiti akagadzirwa paGitHub, pakuisa ne "composer install" kana "composer update. ” rairo, mapakeji anotorwa zvakananga kubva kuGitHub ). Semuenzaniso, kune iyo acmephp package, iyo yakabatana repository yakashandurwa kubva acmephp/acmephp kuenda neskafe3v1/acmephp.

Sezviri pachena, kurwiswa kwacho hakuna kuitwa kuita zviito zvakashata, asi sechiratidzo chekusabvumirwa kwemafungiro asina hanya nekushandiswa kwezvinyorwa zvekare pane nzvimbo dzakasiyana. Panguva imwecheteyo, zvinopesana neyakagadzikwa tsika ye "ethical hacking", murwi haana kuzivisa vanogadzira raibhurari uye repository vatariri nezve kuyedza kumberi. Gare gare, murwi wacho akati pashure pokunge awana basa, aizobudisa mushumo une udzame pamusoro pemitoo yakashandiswa mukurwisa kwacho.

Zvinoenderana neruzivo rwakaburitswa nevakuru vePackagist, maakaundi ese anogadzirisa mapakeji anoshandiswa zviri nyore-ku-brute-simba mapassword pasina kugonesa maviri-chinhu chokwadi. Zvinofungidzirwa kuti maakaundi akabirwa akashandisa mapassword akashandiswa kwete muPackagist chete, asiwo mune mamwe masevhisi ane mapassword dhatabhesi akambokanganiswa uye akaitwa pachena. Kutora maemail evaridzi veakaundi vaive vakasungirirwa kune akapera nguva anogona kushandiswa senzira yekuwana mukana.

Compromised package:

  • acmephp/acmephp (124,860 inoisa pamusoro pehupenyu hwepakeji)
  • acmephp/core(419,258)
  • acmephp/ssl (531,692)
  • dzidziso/dzidziso-cache-bundle (73,490,057)
  • dzidziso/dzidziso-module (5,516,721)
  • dzidziso/dzidziso-mongo-odm-module (516,441)
  • dzidziso/dzidziso-orm-module (5,103,306)
  • dzidziso/muvambi (526,809,061)
  • bhuku rekukura/kukura (97,568
  • jdorn/file-system-cache (32,660)
  • jdorn/sql-formatter (94,593,846)
  • khanamiryan/qrcode-detector-decoder (20,421,500)
  • object-calisthenics/phpcs-calisthenics-rules (2,196,380)
  • tga/simhash-php, tgalopin/simhashphp (30,555)

Source: opennet.ru

Voeg