Iyo node-netmask NPM package, ine mamirioni matatu ekudhawunirodha pasvondo uye inoshandiswa sekutsamira pamapurojekiti anopfuura zviuru mazana maviri nemakumi manomwe paGitHub, ine njodzi (CVE-3-270) iyo inobvumira kuti ipfuure cheki dzinoshandisa netmask. kuona chiitiko chekutarisa mitsara kana yekusefa. Nyaya inogadziriswa mukuburitswa kwe node-netmask 2021.
Kusagadzikana kunoita kuti zvikwanise kubata yekunze IP kero sekero kubva kune yemukati network uye zvichipesana, uye neimwe pfungwa yekushandisa node-netmask module mukushandisa kuita SSRF (Server-side chikumbiro chekunyepedzera), RFI. (Remote File Inclusion) uye LFI (Local File Inclusion) kurwisa) kuti uwane zviwanikwa pane network yemukati uye inosanganisira ekunze kana emunharaunda mafaira mumaketani ekuuraya. Dambudziko nderekuti zvinoenderana nekutsanangurwa, kero tambo tsika dzinotanga ne zero dzinofanirwa kududzirwa senhamba dzeoctal, asi iyo node-netmask module haitore izvi munhoroondo uye inovabata senhamba dzegumi.
Semuyenzaniso, munhu anorwisa anogona kukumbira zvemuno nekutaura kukosha kwe "0177.0.0.1", iyo inoenderana ne "127.0.0.1", asi "node-netmask" module inorasa iyo isina maturo, uye inobata 0177.0.0.1β³ se " 177.0.0.1", iyo mukushandiswa kana uchiongorora mitemo yekuwana, hazvizogoneki kuziva chiziviso ne "127.0.0.1". Saizvozvowo, munhu anorwisa anogona kutsanangura kero "0127.0.0.1", iyo inofanira kufanana ne "87.0.0.1", asi ichabatwa se "127.0.0.1" mu "node-netmask" module. Saizvozvo, iwe unogona kubiridzira cheki yekuwana kero ye intranet nekutsanangura kukosha senge "012.0.0.1" (yakaenzana ne "10.0.0.1", asi ichagadziriswa se 12.0.0.1 panguva yekutarisa).
Vatsvagiri vakaona dambudziko vanodaidza dambudziko iri kuti injodzi uye vanopa akati wandei mamiriro ekurwisa, asi mazhinji acho anotaridzika ekufungidzira. Semuenzaniso, inotaura nezve mukana wekurwisa Node.js-yakavakirwa application iyo inomisikidza yekunze kubatana kukumbira sosi yakavakirwa paparamita kana data yechikumbiro chekuisa, asi chikumbiro hachina kutaurwa zvakananga kana kutsanangurwa. Kunyangwe iwe ukawana maapplication anoremedza zviwanikwa zvichienderana neakapinda IP kero, hazvina kujeka zvachose kuti kusazvibata kunogona kushandiswa sei mukuita pasina kubatana kune network yemuno kana pasina kuwana kutonga kwe "girazi" IP kero.
Vatsvakurudzi vanongofungidzira kuti varidzi ve87.0.0.1 (Telecom Italia) uye 0177.0.0.1 (Brasil Telecom) vanokwanisa kudarika muganhu wekupinda ku127.0.0.1. Chimwe chiitiko chechokwadi ndechekushandisa kusagadzikana kwekunzvenga akasiyana-siyana application-side block list. Iyo nyaya inogona zvakare kushandiswa pakugovera tsananguro ye intranet mitsara muNPM module "yakavanzika-ip".
Source: opennet.ru