Ukukhutshwa kwe-server ye-Apache ye-HTTP ye-2.4.56 ishicilelwe, eyazisa utshintsho lwe-6 kwaye isusa ubuthathaka obu-2 obunxulumene nokwenzeka kokwenza uhlaselo lwe-"HTTP Request Smuggling" kwiinkqubo ze-front-end-back-end, ezivumela ukuba zidibanise imixholo yezicelo zabanye abasebenzisi eziqhutywe kumsonto omnye phakathi kwe-frontend kunye ne-backend. Uhlaselo lungasetyenziselwa ukugqitha kwiinkqubo zokuthintela ukufikelela okanye ukufaka ikhowudi yeJavaScript enobungozi kwiseshoni enewebhusayithi esemthethweni.
Ubungozi bokuqala (i-CVE-2023-27522) ichaphazela imodyuli ye-mod_proxy_uwsgi kwaye ivumela impendulo ukuba ihlulwe ibe ngamacandelo amabini kwicala lommeleli ngokutshintshela abalinganiswa abakhethekileyo kwi-header ye-HTTP ebuyiselwe ngasemva.
Ubuthathaka besibini (i-CVE-2023-25690) bukhona kwi-mod_proxy kwaye kwenzeka xa usebenzisa imithetho ethile yokubhala kwakhona usebenzisa i-RewriteRule yomyalelo onikezelwe yimodyuli ye-mod_rewrite okanye iipatheni ezithile kwi-ProxyPassMatch myalelo. Ukuba sesichengeni kunokukhokelela kwisicelo nge-proxy yemithombo yangaphakathi engavumelekanga ukuba ifikelelwe nge-proxy, okanye kwityhefu yemixholo ye-cache. Ukuze ubuthathaka bubonakale, kuyimfuneko ukuba imithetho yesicelo iphinde ibhale isebenzise idatha esuka kwi-URL, ethi ifakwe endaweni yesicelo esithunyelwe ngokubhekele phaya. Umzekelo: RewriteEngine on RewriteRule β^/here/(.*)β Β» http://example.com:8080/elsewhere?$1β³ http://example.com:8080/elsewhere ; [P] ProxyPassReverse / apha/ http://example.com:8080/ http://example.com:8080/
Phakathi kweenguqu ezingezizo ezokhuseleko:
- Iflegi "-T" yongezwe kwi-rotatelogs eluncedo, evumela, xa ujikeleza iilogi, ukucutha iifayile zelog ezilandelayo ngaphandle kokucutha ifayile yelog yokuqala.
- I-mod_ldap ivumela amaxabiso angalunganga kumyalelo we-LDAPConnectionPoolTTL ukuqwalasela ukusetyenziswa kwakhona kwalo naluphi na uqhagamshelo oludala.
- Imodyuli ye-mod_md, esetyenziselwa ukuzenzekelayo ukufumana kunye nokugcinwa kwezatifikethi usebenzisa i-ACME (i-Automatic Certificate Management Environment) iprotocol, xa ihlanganiswe ne-libressl 3.5.0 +, iquka inkxaso ye-ED25519 yesikimu sesignesha yedijithali kunye nokubalwa kolwazi lwelogi yesatifikethi sikawonke (CT , Isatifikethi sokuNgafihlisi). Umyalelo we-MDChallengeDns01 uvumela ukuchazwa kwemimiselo yeendawo zomntu ngamnye.
- I-mod_proxy_uwsgi iqinise ukujonga kunye nokwahlulahlula iimpendulo ezivela kwi-HTTP backends.
umthombo: opennet.ru