Ntlafatso e potlakileng ho seva ea Apache 2.4.50 http e entsoe, e felisang ts'oaetso ea matsatsi a 0 e seng e sebelisitsoe hampe (CVE-2021-41773), e lumellang phihlello ea lifaele ho tsoa libakeng tse kantle ho buka ea motso oa sebaka. Ka ho sebelisa ts'oaetso, hoa khoneha ho khoasolla lifaele tsa sistimi e ikemetseng le litemana tsa mohloli oa mangolo a webo, a baloang ke mosebelisi eo seva sa http se sebetsang tlas'a hae. Bahlahisi ba ile ba tsebisoa ka bothata ka September 17, empa ba khonne ho lokolla ntlafatso kajeno feela, ka mor'a hore linyeoe tsa ts'oaetso e sebelisoang ho hlasela liwebsaete li tlalehiloe marang-rang.
Ho fokotsa kotsi ea ho ba kotsing ke hore bothata bo hlaha feela phetolelong e sa tsoa lokolloa ea 2.4.49 'me ha e ame litokollo tsohle tsa pejana. Makala a tsitsitseng a kabo ea li-server tsa conservative ha a so sebelise tokollo ea 2.4.49 (Debian, RHEL, Ubuntu, SUSE), empa bothata bo ile ba ama liphaello tse nchafalitsoeng khafetsa joalo ka Fedora, Arch Linux le Gentoo, hammoho le likou tsa FreeBSD.
Ho ba kotsing ho bakoa ke bothata bo hlahisitsoeng nakong ea ho ngoloa ha khoutu bocha bakeng sa ho tloaeleha ho li-URIs, ka lebaka leo "%2e" e nang le letheba le nang le khouto tseleng e ke keng ea tloaeleha haeba e ka etelloa pele ke letheba le leng. Kahoo, ho ile ha khonahala ho beha litlhaku tse tala "../" sebakeng sa sephetho ka ho hlakisa tatelano ".%2e/" kopong. Ka mohlala, kopo e kang “https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd” kapa “https://example.com/cgi -bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" eu lumelletse ho fumana litaba tsa faele "/etc/passwd".
Bothata ha bo etsahale haeba phihlello ea li-directory e hanoa ka ho hlaka ho sebelisoa "ho latola bohle". Mohlala, bakeng sa ts'ireletso e sa fellang o ka hlakisa faeleng ea tlhophiso: e hloka hore tsohle li haneloe
Apache httpd 2.4.50 e boetse e lokisa ts'oaetso e 'ngoe (CVE-2021-41524) e amang module e sebelisang protocol ea HTTP/2. Bofokoli bo entse hore ho khonehe ho qala ts'ebetso ea letho ka ho romela kopo e entsoeng ka mokhoa o khethehileng le ho etsa hore ts'ebetso e senyehe. Bofokoli bona bo boetse bo hlaha feela ho mofuta oa 2.4.49. Joalo ka ts'ebetso ea ts'ireletso, o ka tima ts'ehetso ea protocol ea HTTP/2.
Source: opennet.ru