Kusagadzikana kuri muraibhurari yePharStreamWrapper kunokanganisa Drupal, Joomla uye Typo3

Muraibhurari Sravana Sameeralu Serial XNUMXth PharStreamWrapper, kupa vanobata kudzivirira kubva kubata kurwisa kuburikidza nekutsiviwa kwemafaira mu "Phar" fomati, kuzivikanwa vulnerability (CVE-2019-11831), iyo inobvumira kudarika kudzivirira kubva kukodhi deerialization nekutsiva mavara ".." munzira. Semuenzaniso, munhu anorwisa anogona kushandisa URL yefomu "phar:///path/bad.phar/../good.phar" pakurwisa, uye raibhurari ichasarudza zita rekutanga "/path/good.phar" panguva yekuongorora, kunyangwe panguva yekumwe kugadzirisa nzira yakadaro faira "/path/bad.phar" ichashandiswa.

Raibhurari iyi yakagadzirwa nevagadziri veCMS TYPO3, asi inoshandiswawo mumapurojekiti Drupal и Joomla, izvo zvinoita kuti vavewo panjodzi. Dambudziko iri rinogadziriswa muzvinyorwa zvakaburitswa PharStreamWrapper 2.1.1 uye 3.1.1Purojekiti Drupal Dambudziko iri rakagadziriswa muzvitsva 7.67, 8.6.16 uye 8.7.1. Joomla Dambudziko iri rave riripo kubvira pavhezheni 3.9.3 uye rakagadziriswa pakuburitswa 3.9.6. Kuti ugadzirise dambudziko iri muTYPO3, unofanirwa kugadzirisa raibhurari yePharStreamWapper.

Kubva pamaonero anoshanda, kushaya simba muPharStreamWapper kunobvumira mushandisi Drupal Core, ine kodzero dze 'Administer theme', inorodha faira rePhar rine njodzi uye inoita kodhi yePHP iri mukati, yakavanzika seyakachengetedzwa. Sechiyeuchidzo, kurwiswa kwe "Phar deserialization" kunoshanda nekubvisa otomatiki metadata kubva kumafaira ePhar (PHP Archive) pakutarisa mafaira erubatsiro akaiswa ebasa rePHP file_exists() pakugadzirisa nzira dzinotanga na "phar://." Kutamisa faira rePhar semufananidzo kunogoneka, sezvo file_exists() ichisarudza mhando yeMIME zvichibva pane zviri mukati mefaira, kwete kuwedzera kwaro.

Source: opennet.ru

Tenga inovimbika yekutambira kwemasaiti ane DDoS dziviriro, VPS VDS maseva 🔥 Tenga webhusaiti yakavimbika ine dziviriro yeDDoS, maseva eVPS VDS | ProHoster