Muraibhurari , iyo inopa vanobata kudzivirira kubva kuburikidza nekutsiva faira mu "Phar" fomati, (), iyo inokutendera kuti upfuure kodhi deserialization kuchengetedza nekutsiva ".." mavara munzira. Semuenzaniso, munhu anorwisa anogona kushandisa URL yakaita senge "phar:///path/bad.phar/../good.phar" pakurwisa, uye raibhurari icharatidza zita rekutanga "/path/good.phar" kana kutarisa, kunyange panguva yekuenderera mberi kwekugadzirisa nzira yakadaro Iyo faira "/path/bad.phar" ichashandiswa.
Raibhurari iyi yakagadziridzwa nevagadziri veCMS TYPO3, asi inoshandiswawo mumapurojekiti eDrupal neJoomla, izvo zvinoita kuti vatambudzikewo mukusagadzikana. Nyaya yakagadziriswa mukuburitswa . The Drupal project yakagadzirisa nyaya mu updates 7.67, 8.6.16 uye 8.7.1. MuJoomla dambudziko rinowanikwa kubva muvhezheni 3.9.3 uye rakagadziriswa mukuburitswa 3.9.6. Kugadzirisa dambudziko muTYPO3, unofanirwa kugadzirisa raibhurari yePharStreamWapper.
Padivi rinoshanda, kusazvibata muPharStreamWapper kunobvumira mushandisi weDrupal Core ane mvumo ye 'Administer theme' kurodha faira rine hutsinye uye kuita kuti PHP kodhi irimo iitwe pasi pechiratidziro chepamutemo chekuchengetedza faira. Rangarira kuti musimboti we "Phar deserialization" kurwisa ndechekuti kana uchitarisa akaremerwa mafaera erubatsiro eiyo PHP basa file_exists (), basa iri rinobva rabvisa metadata kubva kuFar mafaera (PHP Archive) paunenge uchigadzira nzira dzinotanga na "phar: //" . Zvinogoneka kuendesa far faira semufananidzo, sezvo file_exists () basa rinosarudza mhando yeMIME nezvirimo, uye kwete nekuwedzera.
Source: opennet.ru