kuburitswa kwewebhu content management system . Kuburitswa kwacho kunozivikanwa nekupedzwa kwayo pakuita kutarisa zvigadziriso uye zvekuwedzera uchishandisa siginecha yedhijitari.
Kusvika ikozvino, pakuisa zvigadziriso muWordPress, chinhu chikuru chekuchengetedza chaive kuvimba neWordPress zvivakwa uye maseva (mushure mekurodha pasi, hashi yakatariswa pasina kuonesa kwainobva). Kana maseva epurojekiti akakanganiswa, vapambi vakakwanisa kukanganisa gadziriso uye kugovera kodhi ine hutsinye pakati peWordPress-based saiti dzinoshandisa otomatiki yekuisa sisitimu. Zvinoenderana neyakamboshandiswa trust delivery modhi, kutsiva kwakadaro kungadai kusina kucherechedzwa kudivi revashandisi.
Tichifunga nezve chokwadi chekuti yew3techs project, WordPress platform inoshandiswa pa 33.8% yemasayiti pane network, chiitiko chingadai chakatora pachiyero chenjodzi. Panguva imwecheteyo, njodzi yekukanganisa kwezvivakwa yakanga isiri yekufungidzira, asi chaiyo. Semuenzaniso, makore akati wandei apfuura mumwe wevaongorori vekuchengetedza kusagadzikana kwakabvumira munhu anorwisa kushandisa kodhi yake parutivi rweseva yeapi.wordpress.org.
Panyaya yemasiginecha edhijitari, kuwana kutonga pamusoro peiyo yekuparadzira server hakuzotungamira mukukanganisika kwevashandisi masisitimu, sezvo kuti uite kurwisa, iwe uchafanirwawo kuwana yakasarudzika yakavanzika kiyi, iyo inosaina inosaina.
Kuitwa kwekutarisa kwakabva zvigadziriso uchishandisa siginecha yedhijitari kwakakanganiswa nenyaya yekuti rutsigiro rweiyo inodiwa cryptographic algorithms yakaonekwa mune yakajairwa PHP package nguva pfupi yadarika. Iyo inodiwa cryptographic algorithms yakaonekwa nekuda kwekubatanidzwa kweraibhurari kuchikwata chikuru . Asi seyakaderera yakatsigirwa vhezheni yePP muWordPress kuburitsa 5.2.4 (kubva kuWordPress 5.2 - 5.6.20). Kugonesa tsigiro yemasiginecha edhijitari kunotungamira kukuwedzera kwakakura kwezvinodiwa zveiyo shoma inotsigirwa vhezheni yePHP kana kuwedzera kwekutsamira kwekunze, izvo vagadziri vaisakwanisa kuita zvichipihwa kuwanda kweshanduro dzePP mumasisitimu ekugamuchira.
Mhinduro yaive uye kuiswa kweiyo compact vhezheni yeLibsodium muWordPress 5.2 - , mune iyo shoma seti yealgorithms yekuona masiginecha edhijitari inoshandiswa muPHP. Kuitwa kwacho kunosiya zvakanyanya kudiwa maererano nekuita, asi kunogadzirisa zvachose dambudziko rekuenderana, uye zvakare inobvumira vanogadzira plugin kuti vatange kuita zvemazuva ano cryptographic algorithms.
Algorithm inoshandiswa kugadzira siginecha yedhijitari , yakagadzirwa nokutora rutivi kwaDaniel J. Bernstein. Siginecha yedhijitari inogadzirwa yeiyo SHA384 hash kukosha yakaverengerwa kubva mukati meiyo yekuvandudza archive. Ed25519 ine mwero wepamusoro wechengetedzo kupfuura ECDSA neDSA, uye inoratidza yakanyanya kumhanya yekusimbisa uye kusikwa kwemasaini. Kupokana nekubira Ed25519 kunenge 2 ^ 128 (paavhareji, kurwiswa kweEd25519 kunoda 2 ^ 140 bit mashandiro), izvo zvinoenderana nekupokana kwealgorithms senge NIST P-256 uye RSA ine kiyi saizi ye3000 bits. kana 128-bit block cipher. Ed25519 zvakare haipindire kumatambudziko nekudhumhana kwehashi, uye haikonzereki nekurwiswa kwecache-nguva kana kurwiswa kwepadivi.
Mukuburitswa kweWordPress 5.2, dhijitari siginecha verification parizvino inongovhara hombe papuratifomu zvigadziriso uye haivharidzire update nekukasira, asi inongozivisa mushandisi nezve dambudziko. Izvo zvakasarudzwa kuti zvisagone kugonesa iyo default blocking nekukurumidza nekuda kwekudiwa kwecheki yakazara uye bypass . Mune ramangwana, zvakarongwawo kuwedzera dhijitari siginecha verification kuratidza kwainobva kuisirwa madingindira uye plugins (vagadziri vachakwanisa kusaina kuburitswa nekiyi yavo).
Pamusoro pekutsigira masiginecha edhijitari muWordPress 5.2, shanduko dzinotevera dzinogona kucherechedzwa:
- Mapeji maviri matsva akawedzerwa kune "Site Health" chikamu chekugadzirisa matambudziko akajairika ekugadzirisa, uye fomu rakapihwa zvakare kuburikidza iyo vanogadzira vanogona kusiya ruzivo rwekugadzirisa kune vatariri vesaiti;
- Kuwedzerwa kuisirwa kwe "white screen yerufu", inoratidzwa kana paine matambudziko anouraya uye kubatsira maneja kuti azvigadzirise kugadzirisa matambudziko ane chekuita nemapulagi kana madingindira nekuchinja kune yakakosha yekudonha yekudzoreredza modhi;
- Iyo sisitimu yekutarisa kuenderana nema plugins yaitwa, iyo inongotarisa mukana wekushandisa iyo plugin mune yazvino gadziriso, uchifunga nezve vhezheni yePP yakashandiswa. Kana plugin ichida vhezheni itsva yePP kuti ishande, sisitimu yacho inozovharira otomatiki kuiswa kweiyi plugin;
- Yakawedzera tsigiro yekugonesa mamodule ane JavaScript kodhi uchishandisa ΠΈ ;
- Yakawedzera yakavanzika-policy.php template itsva inokubvumira kuti ugadzirise zviri mukati pejiji yepachivande;
- Kune madingindira, wp_body_open hook handler yakawedzerwa, ichikutendera kuti uise kodhi pakarepo mushure meiyo body tag;
- Zvinodikanwa zveiyo shoma vhezheni yePHP zvakasimudzwa kusvika 5.6.20; plugins uye madingindira ikozvino ave kugona kushandisa mazita enzvimbo uye asingazivikanwe mabasa;
- Yakawedzera 13 mifananidzo mitsva.
Uyezve, unogona kutaura Kusagadzikana kwakanyanya muWordPress plugin (CVE-2019-11185). Kusagadzikana kunobvumira kupokana PHP kodhi kuti iitwe pane sevha. Iyo plugin inoshandiswa pane dzinopfuura zviuru makumi maviri nenomwe masaiti kuronga hurukuro inodyidzana nemuenzi, kusanganisira pamasaiti emakambani akadai seIKEA, Adobe, Huawei, PayPal, Tele27 uye McDonald's (Live Chat inowanzo shandiswa kuita pop-up zvinogumbura. Chats panzvimbo dzekambani nezvinopihwa taura nemushandi).
Dambudziko rinozviratidza mune kodhi yekurodha mafaera kuseva uye rinokutendera kuti upfuure cheki yemhando dzefaira dzemhando uye kurodha PHP script kuseva, wobva wazviita zvakananga kuburikidza newebhu. Sezvineiwo, gore rapfuura kusagadzikana kwakafanana kwakatoonekwa muLive Chat (CVE-2018-12426), iyo yakabvumira kurodha PHP kodhi pasi pechifukidzo chemufananidzo, ichitsanangura zvakasiyana zvemukati mhando mumunda weZviri-mhando. Sechikamu chekugadzirisa, mamwe macheki akawedzerwa kune whitelists uye MIME yemukati mhando. Sezvazvinoitika, macheki aya anoitwa zvisizvo uye anogona kupfuudzwa nyore.
Kunyanya, kuisa zvakananga mafaira ne ".php" extension inorambidzwa, asi ".phtml" yekuwedzera, iyo inobatanidzwa nePPP muturikiri pamaseva akawanda, haina kuwedzerwa kune blacklist. Iyo whitelist inobvumira chete kuiswa kwemifananidzo, asi unogona kuidarika nekutaura kuwedzera kaviri, semuenzaniso, ".gif.phtml". Kuti upfuure cheki yerudzi rweMIME pakutanga kwefaira, usati wavhura tegi nePHP kodhi, zvaive zvakakwana kutsanangura mutsara "GIF89a".
Source: opennet.ru