Iphakheji ye-node-netmask ye-NPM, emalunga ne-3 yezigidi ezikhutshelweyo ngeveki kwaye isetyenziswa njengokuxhomekeka kwiiprojekthi ezingaphezu kwe-270 lamawaka kwi-GitHub, inomngcipheko (CVE-2021-28918) evumela ukuba idlule iitshekhi ezisebenzisa i-netmask. ukumisela ukwenzeka kwidilesi yoluhlu okanye ukuhluza. Umba ulungiswe ekukhutshweni kwe-node-netmask 2.0.0.
Ukuba semngciphekweni kwenza kube nokwenzeka ukuphatha idilesi ye-IP yangaphandle njengedilesi evela kuthungelwano lwangaphakathi kwaye ngokuchaseneyo, kunye nengqiqo ethile yokusebenzisa imodyuli ye-node-netmask kwisicelo sokuqhuba i-SSRF (i-Server-side application forgery), RFI. (Ukubandakanywa kweFayile ekude) kunye nokuhlaselwa kwe-LFI (iNdawo yokuBandakanywa kweeFayile) ukufikelela kwizibonelelo kwinethiwekhi yangaphakathi kunye nokubandakanya iifayile zangaphandle okanye zendawo kwikhonkco lokuphumeza. Ingxaki kukuba ngokweenkcukacha, amaxabiso omtya wedilesi aqala ngo-zero kufuneka atolikwe njengamanani e-octal, kodwa imodyuli ye-node-netmask ayikuthatheli ngqalelo oku kwaye ibaphathe njengamanani edesimali.
Umzekelo, umhlaseli unokucela isibonelelo sendawo ngokuchaza ixabiso "0177.0.0.1", elihambelana ne "127.0.0.1", kodwa imodyuli ye "node-netmask" iya kulahla i-null, kwaye iphathe 0177.0.0.1" njenge " 177.0.0.1 ", apho kwisicelo xa kuhlolwa imithetho yokufikelela, akuyi kuba nako ukugqiba isazisi nge "127.0.0.1". Ngokufanayo, umhlaseli unokucacisa idilesi ethi "0127.0.0.1", ekufuneka ifane ne "87.0.0.1", kodwa iya kuphathwa njenge "127.0.0.1" kwimodyuli ye "node-netmask". Ngokufanayo, unokukopela itshekhi yokufikelela kwiidilesi ze-intranet ngokuchaza amaxabiso afana ne "012.0.0.1" (elingana no "10.0.0.1", kodwa iya kucutshungulwa njenge-12.0.0.1 ngexesha lokutshekisha).
Abaphandi abachonge ingxaki babiza le ngxaki ngokuba yintlekele kwaye babonelele ngeemeko ezininzi zohlaselo, kodwa uninzi lwazo lukhangeleka luqikeleleka. Ngokomzekelo, ithetha malunga nokuhlaselwa kwesicelo esisekelwe kwi-Node.js esiseka uxhulumaniso lwangaphandle ukucela isibonelelo ngokusekelwe kwiiparamitha okanye idatha yesicelo sokufaka, kodwa isicelo asibizwanga ngokuthe ngqo okanye sicacisiwe. Nangona ufumana izicelo ezilayisha izixhobo ezisekelwe kwiidilesi ze-IP ezifakiwe, akucaci ngokupheleleyo ukuba ubuthathaka bunokusetyenziswa njani ekusebenzeni ngaphandle kokuxhuma kwinethiwekhi yendawo okanye ngaphandle kokulawula "isibuko" iidilesi ze-IP.
Abaphandi bacinga kuphela ukuba abanikazi be-87.0.0.1 (i-Telecom Italia) kunye ne-0177.0.0.1 (i-Brasil Telecom) bayakwazi ukudlula umda wokufikelela kwi-127.0.0.1. Imeko eyinyani ngakumbi kukusebenzisa ukuba sesichengeni ukugqitha uluhlu lwebloko olusecaleni kwesicelo. Umba unokusetyenziswa ekwabelaneni ngenkcazelo yoluhlu lwe-intranet kwimodyuli ye-NPM "private-ip".
umthombo: opennet.ru