ProHoster > Blog > internet nhau > Kusagadzikana muPHP inobvumira kodhi kuuraya kana uchimhanya muCGI modhi

Kusagadzikana muPHP inobvumira kodhi kuuraya kana uchimhanya muCGI modhi

Pane dambudziko (CVE-2024-4577) rakaonekwa muPHP rinobvumira kushandiswa kwekodhi yako paseva kana kuona kodhi yechinyorwa chePHP kana uchishandisa PHP muCGI mode papuratifomu. Windows (Magadzirirwo ane mod_php, php-fpm, uye FastCGI haasi panjodzi). Dambudziko racho rakagadziriswa muPHP 8.3.8, 8.2.20, uye 8.1.29.

Dambudziko iri inyaya yakakosha yedambudziko reCVE-2012-1823 rakagadziriswa muna 2012, iro dziviriro yakawedzerwa yakanga isina kukwana kudzivirira kurwiswa pachikuva. WindowsNzira yekurwisa inosanganisira kutsiva nharo yemurairo-mutsara paunotanga muturikiri wePHP nekushandura maparamita ekukumbira kune script yePHP.

Mukusagadzikana kwekare CVE-2012-1823, kushandiswa kwaida kungotsanangura sarudzo dzemutsetse wemirairo pachinzvimbo chematanho ekutsvaga, semuenzaniso, "http://localhost/index.php?-s" kuratidza kodhi yekodhi yescript. Kusagadzikana kutsva kunoenderana nepuratifomu. Windows Inopa kushandurwa kwemavara otomatiki, izvo zvinokutendera kuti urege kudzivirira kuchengetedzwa kwawakaitwa kare nekutaura mavara aripo mune mamwe ma encodings uye kuatsiva ne "-" (semuenzaniso, http://localhost/index.php?%ads).

Kusagadzikana kwakasimbiswa mukumisikidzwa nenzvimbo dzeTraditional Chinese (cp950), Simplified Chinese (cp936) neJapan (cp932), asi zvinogoneka kuti zvinogona kuitika mune dzimwe nzvimbo. Dambudziko rinoonekwa mukumisikidzwa kweiyo XAMPP suite (Apache + MariaDB + PHP + Perl), uye mune chero maApache magadzirirwo ayo php-cgi inogadzikwa seCGI script inobata uchishandisa iyo gadziriso.
'Action cgi-script "/cgi-bin/php-cgi.exe"' kana 'Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"', kana pakubata zvakananga php muturikiri mu "/cgi-bin" uye chero mamwe madhairekitori ayo manyorerwo eCGI anotenderwa kuburikidza negwaro reScriptAlias.

Pamusoro pezvo, iyo PHP 8.3.8, 8.2.20 uye 8.1.29 inogadziridza yakagadzirisa zvimwe zvitatu zvinokanganisa:

  • CVE-2024-5458 -Kugona kwesefa yekupfuura
    FILTER_VALIDATE_URL, inoshandiswa pakufonera sefa_var basa.
  • CVE-2024-5585 inzira yekurwisa CVE-2024-1874, iyo inobvumira kunzvenga dziviriro yainge yambowedzerwa uye kuita chinjo yemirairo pakufonera mafaira ebat necmd uchishandisa basa reproc_open papuratifomu. Windows (BatBadAsi kusasimba).
  • Iyo openssl_private_decrypt basa rinosangana nekurwiswa kweMarvin.

Source: opennet.ru

Tenga inovimbika yekutambira kwemasaiti ane DDoS dziviriro, VPS VDS maseva šŸ”„ Tenga webhusaiti yakavimbika ine dziviriro yeDDoS, maseva eVPS VDS | ProHoster