Kusvika ikozvino, pakuisa zvigadziriso muWordPress, chinhu chikuru chekuchengetedza chaive kuvimba neWordPress zvivakwa uye maseva (mushure mekurodha pasi, hashi yakatariswa pasina kuonesa kwainobva). Kana maseva epurojekiti akakanganiswa, vapambi vakakwanisa kukanganisa gadziriso uye kugovera kodhi ine hutsinye pakati peWordPress-based saiti dzinoshandisa otomatiki yekuisa sisitimu. Zvinoenderana neyakamboshandiswa trust delivery modhi, kutsiva kwakadaro kungadai kusina kucherechedzwa kudivi revashandisi.
Tichifunga nezve chokwadi chekuti
Panyaya yemasiginecha edhijitari, kuwana kutonga pamusoro peiyo yekuparadzira server hakuzotungamira mukukanganisika kwevashandisi masisitimu, sezvo kuti uite kurwisa, iwe uchafanirwawo kuwana yakasarudzika yakavanzika kiyi, iyo inosaina inosaina.
Kuitwa kwekutarisa kwakabva zvigadziriso uchishandisa siginecha yedhijitari kwakakanganiswa nenyaya yekuti rutsigiro rweiyo inodiwa cryptographic algorithms yakaonekwa mune yakajairwa PHP package nguva pfupi yadarika. Iyo inodiwa cryptographic algorithms yakaonekwa nekuda kwekubatanidzwa kweraibhurari
Mhinduro yaive
Algorithm inoshandiswa kugadzira siginecha yedhijitari
Mukuburitswa kweWordPress 5.2, dhijitari siginecha verification parizvino inongovhara hombe papuratifomu zvigadziriso uye haivharidzire update nekukasira, asi inongozivisa mushandisi nezve dambudziko. Izvo zvakasarudzwa kuti zvisagone kugonesa iyo default blocking nekukurumidza nekuda kwekudiwa kwecheki yakazara uye bypass
Pamusoro pekutsigira masiginecha edhijitari muWordPress 5.2, shanduko dzinotevera dzinogona kucherechedzwa:
- Mapeji maviri matsva akawedzerwa kune "Site Health" chikamu chekugadzirisa matambudziko akajairika ekugadzirisa, uye fomu rakapihwa zvakare kuburikidza iyo vanogadzira vanogona kusiya ruzivo rwekugadzirisa kune vatariri vesaiti;
- Kuwedzerwa kuisirwa kwe "white screen yerufu", inoratidzwa kana paine matambudziko anouraya uye kubatsira maneja kuti azvigadzirise kugadzirisa matambudziko ane chekuita nemapulagi kana madingindira nekuchinja kune yakakosha yekudonha yekudzoreredza modhi;
- Iyo sisitimu yekutarisa kuenderana nema plugins yaitwa, iyo inongotarisa mukana wekushandisa iyo plugin mune yazvino gadziriso, uchifunga nezve vhezheni yePP yakashandiswa. Kana plugin ichida vhezheni itsva yePP kuti ishande, sisitimu yacho inozovharira otomatiki kuiswa kweiyi plugin;
- Yakawedzera tsigiro yekugonesa mamodule ane JavaScript kodhi uchishandisa
webpack ΠΈBabheri ; - Yakawedzera yakavanzika-policy.php template itsva inokubvumira kuti ugadzirise zviri mukati pejiji yepachivande;
- Kune madingindira, wp_body_open hook handler yakawedzerwa, ichikutendera kuti uise kodhi pakarepo mushure meiyo body tag;
- Zvinodikanwa zveiyo shoma vhezheni yePHP zvakasimudzwa kusvika 5.6.20; plugins uye madingindira ikozvino ave kugona kushandisa mazita enzvimbo uye asingazivikanwe mabasa;
- Yakawedzera 13 mifananidzo mitsva.
Uyezve, unogona kutaura
Dambudziko rinozviratidza mune kodhi yekurodha mafaera kuseva uye rinokutendera kuti upfuure cheki yemhando dzefaira dzemhando uye kurodha PHP script kuseva, wobva wazviita zvakananga kuburikidza newebhu. Sezvineiwo, gore rapfuura kusagadzikana kwakafanana kwakatoonekwa muLive Chat (CVE-2018-12426), iyo yakabvumira kurodha PHP kodhi pasi pechifukidzo chemufananidzo, ichitsanangura zvakasiyana zvemukati mhando mumunda weZviri-mhando. Sechikamu chekugadzirisa, mamwe macheki akawedzerwa kune whitelists uye MIME yemukati mhando. Sezvazvinoitika, macheki aya anoitwa zvisizvo uye anogona kupfuudzwa nyore.
Kunyanya, kuisa zvakananga mafaira ne ".php" extension inorambidzwa, asi ".phtml" yekuwedzera, iyo inobatanidzwa nePPP muturikiri pamaseva akawanda, haina kuwedzerwa kune blacklist. Iyo whitelist inobvumira chete kuiswa kwemifananidzo, asi unogona kuidarika nekutaura kuwedzera kaviri, semuenzaniso, ".gif.phtml". Kuti upfuure cheki yerudzi rweMIME pakutanga kwefaira, usati wavhura tegi nePHP kodhi, zvaive zvakakwana kutsanangura mutsara "GIF89a".
Source: opennet.ru