ProHoster > Blog > internet nhau > Kusagadzikana mu php-fpm iyo inobvumira kure kure kodhi kuuraya pane sevha

Kusagadzikana mu php-fpm iyo inobvumira kure kure kodhi kuuraya pane sevha

Inowanikwa kugadziriswa kuburitswa kwePHP 7.3.11, 7.1.33 uye 7.2.24, umo kubviswa kutsoropodza vulnerability (CVE-2019-11043) muiyo PHP-FPM (FastCGI Process Manager) yekuwedzera iyo inokutendera iwe kuti uite kure kure kodhi yako pane system. Kurwisa maseva anoshandisa PHP-FPM kumhanyisa PHP zvinyorwa zvakabatana neNginx, yatove kuwanikwa pachena. kushanda exploit.

Kurwiswa kwacho kunogoneka mukumisikidzwa kwenginx uko kutumira muPHP-FPM kunoitwa nekutsemura zvikamu zve URL uchishandisa "fastcgi_split_path_info" uye kutsanangura PATH_INFO nharaunda inoshanduka, asi pasina kutanga watarisa kuvepo kwefaira ne "try_files $fastcgi_script_name" rairo kana "kana (!-f $ document_root$fastcgi_script_name)". dambudziko kusanganisira anooneka mune zvigadziriso zvinopihwa zveNextCloud papuratifomu. Semuenzaniso, magadzirirwo ane magadzirirwo efomu ari panjodzi:

nzvimbo ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}

Iwe unogona kutevedzera kugadzirisa dambudziko mukugovera pamapeji aya: Debian, RHEL, Ubuntu, SUSE/openSUSE, FreeBSD, Arch, Fedora. Sekuchengetedza kuchengetedza, mushure me "fastcgi_split_path_info" mutsara, unogona kuwedzera cheki yekuvapo kweiyo yakakumbirwa PHP faira:

try_files $fastcgi_script_name =404;

Dambudziko rinokonzerwa nekukanganisa paunenge uchishandura mapoikira mufaira sapi/fpm/fpm/fpm_main.c. Paunenge uchigovera chinongedzo, zvinofungidzirwa kuti kukosha kwePATH_INFO nharaunda inoshanduka inenge iine prefix inofanana nenzira inoenda kune PHP script.
Kana fastcgi_split_path_info rairo richitaura kupatsanura nzira kuenda kuchinyorwa uchishandisa chirevo chenguva dzose chine hanya nekufambiswa kwemavara matsva (somuenzaniso, mumienzaniso yakawanda inokurudzirwa kushandisa "^(+?\.php)(/. *)$"), ipapo anorwisa anogona kuwana kunyora isina chinhu kukosha kune PATH_INFO nharaunda inosiyana. Muchiitiko ichi, wedzera pane kuurayiwa wakaita kunyora nzira_info[0] kuenda ku zero uye kufonera FCGI_PUTENV.

Nekukumbira URL yakarongwa neimwe nzira, munhu anorwisa anogona kufambisa path_info pointer kune yekutanga byte ye "_fcgi_data_seg" chimiro, uye kunyora zero kune iyi byte kunofambisa "char * pos" pointer kune yaimboenda ndangariro nzvimbo. Iyo FCGI_PUTENV inodaidzwa inotevera ichanyora iyo data iri mundangariro iyi neukoshi hunogona kudzora anorwisa. Iyo yakatsanangurwa ndangariro inochengetedzawo kukosha kwezvimwe zveFastCGI zvinosiyana, uye nekunyora data ravo, anorwisa anogona kugadzira dummy PHP_VALUE kusiyanisa uye kuzadzisa kuitiswa kwekodhi yake.

Source: opennet.ru

Voeg