Mu http server (nhttpd) vulnerability
(CVE-2019-16278), iyo inobvumira munhu anorwisa kuti aite kodhi ari kure pane server nekutumira yakanyatsogadzirwa HTTP chikumbiro. Nyaya ichagadziriswa pakusunungurwa (hazvisati zvaburitswa). Tichitarisa neruzivo kubva kuShodan yekutsvaga injini, iyo Nostromo http server inoshandiswa pavanenge 2000 vanosvikirwa neruzhinji.
Kusagadzikana uku kunokonzerwa nekukanganisa kuri muhttp_verify basa, iro rinotadza kuwana zviri mukati mefaira system kunze kwedhairekitori resaiti nekupfuura zvakatevedzana ".%0d./" munzira. Kusagadzikana kunoitika nekuti cheki yehuvepo hwe "../" mavara anoitwa nzira yenormalization isati yaitwa, umo mavara matsva (%0d) anobviswa kubva mutambo.
nokuti kusagadzikana, unokwanisa kuwana /bin/sh pachinzvimbo cheCGI script uye woita chero ganda rekugadzira nekutumira chikumbiro chePOST kuURI "/.%0d./.%0d./.%0d./.%0d./bin /sh" uye kupfuudza mirairo mumuviri wechikumbiro. Sezvineiwo, muna 2011, kusagadzikana kwakafanana (CVE-2011-0751) kwakange kwatogadziriswa muNostromo, iyo yakabvumira kurwisa nekutumira chikumbiro "/..%2f..%2f..%2fbin/sh".
Source: opennet.ru