ulwazi mayelana nokuba sengozini okungalungiswanga (izinsuku ezi-0) (i-CVE-2019-16759) enjinini yobunikazi yokudala izinkundla zewebhu , okukuvumela ukuthi wenze ikhodi kuseva ngokuthumela isicelo sokuTHUMELA esiklanywe ngokukhethekile. Ukuxhashazwa okusebenzayo kuyatholakala kule nkinga. I-vBulletin isetshenziswa amaphrojekthi amaningi avulekile, kufaka phakathi izinkundla ezisuselwe kule njini. , , ΠΈ .
Ubungozi bukhona kusibambi se-βajax/render/widget_phpβ, esivumela ikhodi yegobolondo ngokunganaki ukuthi idluliswe kupharamitha ye-βwidgetConfig[code]β (ikhodi yokuqalisa imane idlule, awudingi ngisho nokubalekela noma yini) . Ukuhlasela akudingi ukuqinisekiswa kwenkundla. Inkinga iqinisekisiwe kukho konke ukukhishwa kwegatsha lamanje le-vBulletin 5.x (elithuthukiswe kusukela ngo-2012), kuhlanganise nokukhishwa kwakamuva kakhulu okungu-5.5.4. Isibuyekezo esinokulungiswa akukakalungiselelwa.
Isengezo 1: Ezinguqulo 5.5.2, 5.5.3 kanye 5.5.4 amapheshana. Abanikazi bokukhishwa kwe-5.x endala bayelulekwa ukuthi baqale babuyekeze amasistimu abo ezinguqulweni zakamuva ezisekelwayo ukuze baqede ubungozi, kodwa njengendlela yokusingatha izinkinga. ukubiza βi-eval($code)β kukhodi yokusebenza ye-evalCode efayelini ihlanganisa/vb5/frontend/controller/bbcode.php.
Isengezo 2: Ukuba sengozini sekuvele kuyasebenza ngokuhlaselwa, ΠΈ . Imikhondo yokuhlasela ingabonwa kulogi yeseva ye-http ngokuba khona kwezicelo zomugqa "ajax/render/widget_php".
Isengezo 3: iminonjana yokusetshenziswa kwenkinga okuxoxwa ngayo ekuhlaselweni okudala; ngokusobala, ubungozi sebuvele busetshenziswe cishe iminyaka emithathu. Ngaphandle kwalokho, iskripthi esingasetshenziswa ukwenza ukuhlasela okuzenzakalelayo okukhulu ukucinga amasistimu asengozini ngesevisi ye-Shodan.
Source: opennet.ru