ProHoster > Blog > internet nhau > Kuburitswa kweSnuffleupagus 0.5.1, module yekuvharira kusasimba mumapurogiramu ePP.

Kuburitswa kweSnuffleupagus 0.5.1, module yekuvharira kusasimba mumapurogiramu ePP.

Mushure megore rebudiriro yakabudiswa kuburitswa kweprojekiti Snuffleupagus 0.5.1, iyo inopa module yePHP7 muturikiri kuti avandudze kuchengetedzeka kwezvakatipoteredza uye kuvhara zvikanganiso zvakajairika zvinotungamira mukusagadzikana mukumhanyisa PHP application. Iyo module zvakare inobvumidza iwe kugadzira virtual patches kubvisa matambudziko chaiwo pasina kushandura kodhi yekodhi yekushandisa, iyo iri nyore kushandiswa mumasisitimu ekugamuchira akawanda uko zvisingaite kuchengetedza zvese zvevashandisi zvikumbiro. Mari yepamusoro yemodule inofungidzirwa kuve shoma. Iyo module yakanyorwa muC, yakabatana muchimiro cheraibhurari yakagovaniswa ("extension=snuffleupagus.so" mu php.ini) uye inoparadzirwa ne ine rezinesi pasi pe LGPL 3.0.

Snuffleupagus inopa hurongwa hwemitemo iyo inobvumidza iwe kushandisa yakajairwa matemplate kuti uvandudze kuchengetedzeka, kana kugadzira yako wega mitemo yekudzora data yekupinza uye parameter yebasa. Semuenzaniso, mutemo wekuti β€œsp.disable_function.function(β€œsystem”).param(β€œcommand”).value_r(β€œ[$|;&`\\n]”).drop();” inokutendera iwe kudzikamisa kushandiswa kweakakosha mavara mu system() basa nharo pasina kushandura application. Dzakavakirwa-mukati nzira dzinopihwa kuvharisa makirasi ekusagadzikana senge nyaya, zvinoenderana ne data serialization, isina kuchengeteka kushandiswa kweiyo PHP mail () basa, kuvuza kweCookie zviri mukati panguva yeXSS kurwiswa, matambudziko nekuda kwekurodha mafaera ane executable code (semuenzaniso, mufomati. phar), hurombo husina kurongeka nhamba chizvarwa uye kutsiva zvisizvo XML inovaka.

PHP kuchengetedza nzira dzekusimudzira dzinopihwa neSnuffleupagus:

  • Otomatiki gonesa "chengetedzo" uye "samesite" (CSRF dziviriro) mireza yeCookies, encryption Cookie;
  • Yakavakirwa-mukati seti yemitemo yekuona mitsetse yekurwiswa uye kukanganisa kwekushandisa;
  • Yakamanikidzwa pasi rose activation ye "zvakasimba" (semuenzaniso, inovhara kuedza kutsanangura tambo paunenge uchitarisira kukosha kwegakava) uye kudzivirirwa kubva type manipulation;
  • Default blocking protocol wrappers (semuenzaniso, kurambidza "phar://") nerunyoro rwavo rwakajeka;
  • Kurambidza kuita mafaira anonyorwa;
  • Zvinyorwa zvitema uye zvichena zve eval;
  • Inodiwa kugonesa TLS setifiketi yekutarisa kana uchishandisa
    curl;
  • Kuwedzera HMAC kune serialized zvinhu kuti ive nechokwadi chekuti deerialization inotora iyo data yakachengetwa neyekutanga application;
  • Kumbira kutema maitiro;
  • Kuvharira kurodha kwemafaira ekunze mu libxml kuburikidza nezvinongedzo mumagwaro eXML;
  • Kugona kubatanidza vabati vekunze (upload_validation) kutarisa uye kuongorora mafaera akaiswa;

Pakati pe shanduko mukuburitswa kutsva: Rutsigiro rwakavandudzwa rwePHP 7.4 uye rwakaitwa kuenderana nebazi rePHP 8 parizvino ririkufambiswa.Yakawedzera kugona kurodha zviitiko kuburikidza nesyslog (iyo sp.log_media dhairekitori inorongwa kuti ibatanidzwe, iyo inogona kutora php kana syslog kukosha). Iyo yakasarudzika seti yemitemo yakagadziridzwa kuti ibatanidze mitemo mitsva yezvichangobva kucherechedzwa kusasimba uye maitiro ekurwisa achipesana newebhu application. Yakavandudzwa rutsigiro rweMacOS uye yakawedzera kushandiswa kweinoenderera mberi yekubatanidza chikuva yakavakirwa paGitLab.

Source: opennet.ru

Voeg