Bofokoli bo laeboraring ea PharStreamWrapper boa ama Drupal, Joomla le Typo3

Laebraring PharStreamWrapper, ho fana ka ba sebetsang ho itšireletsa khahlanong le ho tshoara litlhaselo ka ho kenya lifaele sebakeng sa "Phar", tsebahatsoa bofokodi (CVE-2019-11831), e lumellang ho feta ts'ireletso khahlanong le "code deerialization" ka ho kenya litlhaku ".." tseleng. Ka mohlala, mohlaseli a ka sebelisa URL ea foromo "phar:///path/bad.phar/../good.phar" bakeng sa tlhaselo, 'me laebrari e tla khetha lebitso la motheo "/path/good.phar" nakong ea ho netefatsa, le hoja nakong ea ts'ebetso e tsoelang pele ea tsela e joalo faele "/path/bad.phar" e tla sebelisoa.

Laeborari e ntlafalitsoe ke baqapi ba CMS TYPO3, empa e boetse e sebelisoa mererong Drupal и Joomla, e leng se etsang hore le bona ba be kotsing. Bothata bo lokisitsoe litokollong PharStreamWrapper 2.1.1 le 3.1.1Morero Drupal E lokisitse bothata ho lintlafatso tsa 7.67, 8.6.16 le 8.7.1. Joomla Bothata bona bo bile teng ho tloha phetolelong ya 3.9.3 mme bo lokisitsoe tokollong ya 3.9.6. Ho lokisa bothata ho TYPO3, o hloka ho ntjhafatsa laeborari ya PharStreamWapper.

Ho ea ka pono e sebetsang, bofokoli ba PharStreamWapper bo lumella mosebelisi Drupal Core, e nang le litokelo tsa 'Administer theme', e kenya faele e kotsi ea phar mme e phethahatsa khoutu ea PHP e ka hare, e patiloeng e le polokelo ea molao ea phar. E le khopotso, tlhaselo ea "Phar deserialization" e sebetsa ka ho hlakola metadata ka bo eona ho tsoa lifaeleng tsa Phar (PHP Archive) ha ho hlahlojoa lifaele tsa thuso tse kentsoeng bakeng sa ts'ebetso ea PHP file_exists() ha ho sebetsoa litsela tse qalang ka "phar://." Ho fetisetsa faele ea phar e le setšoantšo hoa khoneha, kaha file_exists() e khetholla mofuta oa MIME ho latela litaba tsa faele, eseng katoloso ea eona.

Source: opennet.ru

Reka sebaka se tšepahalang sa libaka tse nang le ts'ireletso ea DDoS, li-server tsa VPS VDS 🔥 Reka sebaka se tšepahalang sa ho amohela webosaete ka tšireletso ea DDoS, li-server tsa VPS VDS | ProHoster