Kamora selemo sa ntshetsopele tokollo ya morero , e fanang ka module bakeng sa mofetoleli oa PHP7 ho ntlafatsa ts'ireletso ea tikoloho le ho thibela liphoso tse tloaelehileng tse lebisang bofokoling ba ho sebetsa lits'ebetsong tsa PHP. Mojule o boetse o o lumella ho etsa ho felisa mathata a itseng ntle le ho fetola khoutu ea mohloli oa ts'ebeliso e tlokotsing, e loketseng ho sebelisoa lits'ebetsong tse ngata tsa ho amohela batho moo ho sa khoneheng ho boloka lits'ebetso tsohle tsa mosebelisi ho fihlela joale. Litšenyehelo tse holimo tsa mojule li hakanngoa hore li nyane. Mojule o ngotsoe ka C, o kopantsoe ka mokhoa oa laebrari e arolelanoang ("extension=snuffleupagus.so" ka php.ini) le e fuoe laesense tlasa LGPL 3.0.
Snuffleupagus e fana ka tsamaiso ea melao e lumellang hore u sebelise li-templates tse tloaelehileng ho ntlafatsa ts'ireletso, kapa u iketsetse melao ea hau ho laola lintlha tsa ho kenya le lisebelisoa tsa ts'ebetso. Mohlala, molao oa “sp.disable_function.function(“system”).param(“command”).value_r(“[$|;&`\\n]”).drop();” e o lumella ho fokotsa ts'ebeliso ea litlhaku tse ikhethileng ho system() likhang tsa ts'ebetso ntle le ho fetola ts'ebeliso. Mekhoa e hahelletsoeng ka hare e fanoa ho thibela lihlopha tsa bofokoli joalo ka litaba, ka ts'ebeliso ea data, ts'ebeliso ea lengolo la PHP () ts'ebetso, ho lutla ha litaba tsa Cookie nakong ea litlhaselo tsa XSS, mathata ka lebaka la ho kenya lifaele ka khoutu e sebetsang (mohlala, ka sebopeho. ), boleng bo futsanehileng random palo tlhahiso le meaho e fosahetseng ea XML.
Mekhoa ea ntlafatso ea ts'ireletso ea PHP e fanoeng ke Snuffleupagus:
- Lumella ka bohona lifolakha tse "sireletsehileng" le "samesite" (ts'ireletso ea CSRF) bakeng sa Li-cookie, Cookie;
- Melao e hahiloeng ka har'a ho khetholla mesaletsa ea litlhaselo le ho sekisetsa lits'ebetsong;
- Ho qobelloa ho kenya tšebetsong lefatše ka bophara "" (mohlala, e thibela boiteko ba ho hlalosa khoele ha u lebeletse palo e feletseng e le khang) le tšireletso khahlanong le ;
- Thibelo ea kamehla (mohlala, ho thibela "phar://") ka lethathamo la bona le pepenene;
- Thibelo ea ho phethahatsa lifaele tse ngoloang;
- Manane a matšo le a masoeu bakeng sa eval;
- Ho hlokahala ho nolofalletsa ho hlahloba setifikeiti sa TLS ha o sebelisa
curl; - Ho kenyelletsa HMAC ho lintho tse hlophisitsoeng ho netefatsa hore deerialization e fumana data e bolokiloeng ke ts'ebeliso ea mantlha;
- Mokhoa oa ho rema lifate;
- Ho thibela ho kenya lifaele tsa kantle ho libxml ka lihokela tsa litokomane tsa XML;
- Bokhoni ba ho hokela basebelisi ba kantle (upload_validation) ho lekola le ho lekola lifaele tse kentsoeng;
har'a tokollong e ncha: Tšehetso e ntlafetseng bakeng sa PHP 7.4 le ho lumellana le ts'ebetsong le lekala la PHP 8 le ntseng le tsoela pele. E kentse bokhoni ba ho ngolisa liketsahalo ka syslog (taelo ea sp.log_media e reretsoe ho kenyelletsa, e ka nkang php kapa syslog values). Melao ea kamehla e ntlafalitsoe ho kenyelletsa melao e mecha bakeng sa bofokoli bo sa tsoa tsejoa le mekhoa ea tlhaselo khahlano le lits'ebetso tsa webo. Ts'ehetso e ntlafalitsoeng bakeng sa macOS le ts'ebeliso e atolositsoeng ea sethala sa kopanyo se tsoelang pele se thehiloeng ho GitLab.
Source: opennet.ru