ukukhululwa kohlelo lokuphathwa kokuqukethwe kwewebhu . Ukukhishwa kuphawuleka ngokuqedwa kwakho ekusetshenzisweni ukuhlola izibuyekezo nezengezo kusetshenziswa isiginesha yedijithali.
Kuze kube manje, lapho kufakwa izibuyekezo ku-WordPress, into eyinhloko yokuphepha kwakuwukuthembela kungqalasizinda ye-WordPress namaseva (ngemuva kokulanda, i-hashi yahlolwa ngaphandle kokuqinisekisa umthombo). Uma amaseva ephrojekthi esengozini, abahlaseli bakwazile ukuphazamisa isibuyekezo futhi basabalalisa ikhodi enonya phakathi kwamasayithi asekelwe ku-WordPress asebenzisa isistimu yokufaka isibuyekezo esizenzakalelayo. Ngokuvumelana nemodeli yokulethwa okwethenjwa esetshenziswe ngaphambilini, ukushintshwa okunjalo bekungeke kuqashelwe ngasohlangothini lwabasebenzisi.
Ukucabangela iqiniso lokuthi yephrojekthi ye-w3techs, iplatifomu ye-WordPress isetshenziswa ku-33.8% wamasayithi kunethiwekhi, lesi sigameko ngabe sithathe isilinganiso senhlekelele. Ngaso leso sikhathi, ubungozi bokwehliswa kwengqalasizinda bekungekona okucatshangelwayo, kodwa kuyiqiniso impela. Isibonelo, eminyakeni embalwa edlule omunye wabacwaningi bezokuphepha ubungozi obuvumele umhlaseli ukuthi asebenzise ikhodi yakhe ohlangothini lweseva lwe-api.wordpress.org.
Endabeni yamasiginesha edijithali, ukuthola ukulawula iseva yokusabalalisa isibuyekezo ngeke kuholele ekulimaleni kwezinhlelo zabasebenzisi, ngoba ukuze wenze ukuhlasela, uzodinga futhi ukuthola ukhiye oyimfihlo ogcinwe ngokwehlukana, okusayinwa ngawo izibuyekezo.
Ukuqaliswa kokuhlola umthombo wezibuyekezo kusetshenziswa isiginesha yedijithali kwaphazanyiswa iqiniso lokuthi ukusekelwa kwama-algorithms e-cryptographic adingekayo kuvele kuphakheji evamile ye-PHP muva nje. I-cryptographic algorithms edingekayo ivele ngenxa yokuhlanganiswa komtapo wezincwadi eqenjini elikhulu . Kepha njengenguqulo encane esekelwayo ye-PHP ku-WordPress khulula i-5.2.4 (kusuka ku-WordPress 5.2 - 5.6.20). Ukunika amandla usekelo lwamasiginesha edijithali kuzoholela ekwenyukeni okukhulu kwezimfuneko zenguqulo encane esekelwayo ye-PHP noma ukungezwa kokuncika kwangaphandle, onjiniyela abakwazanga ukukwenza uma kubhekwa ukuvama kwezinguqulo ze-PHP kumasistimu okusingatha.
Isixazululo kwaba kanye nokufakwa kwenguqulo ehlanganisiwe ye-Libsodium ku-WordPress 5.2 - , lapho isethi encane yama-algorithms okuqinisekisa amasiginesha edijithali isetshenziswa ku-PHP. Ukuqaliswa kushiya okuningi okufiselekayo mayelana nokusebenza, kodwa kuyixazulula ngokuphelele inkinga yokuhambisana, futhi futhi kuvumela abathuthukisi be-plugin ukuthi baqale ukusebenzisa ama-algorithms wesimanje we-cryptographic.
I-algorithm isetshenziselwa ukukhiqiza amasignesha edijithali , yathuthukiswa ngokuhlanganyela kukaDaniel J. Bernstein. Isiginesha yedijithali ikhiqizwa yenani le-SHA384 hashi elibalwa kusukela kokuqukethwe kungobo yomlando yokubuyekeza. I-Ed25519 inezinga eliphezulu lokuphepha kune-ECDSA ne-DSA, futhi ibonisa isivinini esikhulu kakhulu sokuqinisekisa nokudalwa kwesiginesha. Ukumelana nokugetshengwa kwe-Ed25519 cishe ku-2 ^ 128 (ngokwesilinganiso, ukuhlasela kwe-Ed25519 kuzodinga ukusebenza kwe-2^140 bit), okuhambisana nokuphikiswa kwama-algorithms afana ne-NIST P-256 ne-RSA enosayizi oyinhloko wamabhithi angu-3000. noma 128-bit block cipher. I-Ed25519 nayo ayithinteki ezinkingeni zokushayisana kwe-hashi, futhi ayingenwa kalula ukuhlaselwa kwe-cache-timing noma ukuhlaselwa kwe-side-channel.
Ekukhishweni kwe-WordPress 5.2, ukuqinisekiswa kwesiginesha yedijithali okwamanje kuhlanganisa kuphela izibuyekezo ezinkulu zenkundla futhi akuvimbi isibuyekezo ngokuzenzakalelayo, kodwa kwazisa umsebenzisi kuphela ngenkinga. Kunqunywe ukuthi kungavumeli ukuvinjwa okuzenzakalelayo ngokushesha ngenxa yesidingo sokuhlola okugcwele nokudlula . Ngokuzayo, kuphinde kuhlelwe ukungeza ukuqinisekiswa kwesiginesha yedijithali ukuze kuqinisekiswe umthombo wokufakwa kwezingqikithi nama-plugin (abakhiqizi bazokwazi ukusayina ukukhishwa ngokhiye wabo).
Ngokungeziwe ekusekeleni amasiginesha edijithali ku-WordPress 5.2, izinguquko ezilandelayo zingaqashelwa:
- Amakhasi amabili amasha engezwe esigabeni esithi "Impilo Yesayithi" ukuze kulungiswe izinkinga zokulungisa ezivamile, futhi kunikezwe nefomu lapho abathuthukisi bengakwazi ukushiya ulwazi lokususa iphutha kubaphathi besayithi;
- Ukuqaliswa okungeziwe "kwesikrini sokufa esimhlophe", esiboniswa uma kwenzeka kuba nezinkinga ezibulalayo nokusiza umlawuli ukuba alungise ngokuzimela izinkinga ezihlobene nama-plugin noma amatimu ngokushintshela kumodi ekhethekile yokutakula ukuphahlazeka;
- Uhlelo lokuhlola ukuhambisana nama-plugin seluqalisiwe, oluhlola ngokuzenzakalelayo ukuthi kungenzeka yini ukusebenzisa i-plugin ekucushweni kwamanje, kucatshangelwa inguqulo ye-PHP esetshenzisiwe. Uma i-plugin idinga inguqulo entsha ye-PHP ukuze isebenze, isistimu izovimba ngokuzenzakalelayo ukufakwa kwale plugin;
- Ukwesekwa okwengeziwe kokunika amandla amamojula ngekhodi ye-JavaScript kusetshenziswa ΠΈ ;
- Kwengezwe isifanekiso esisha se-privacy-policy.php esikuvumela ukuthi wenze ngokwezifiso okuqukethwe kwekhasi lenqubomgomo yobumfihlo;
- Kumatimu, isibambi se-hook se-wp_body_open sengeziwe, esikuvumela ukuthi ufake ikhodi ngokushesha ngemva kwethegi yomzimba;
- Izidingo zenguqulo encane ye-PHP zinyuselwe ku-5.6.20; ama-plugin nezindikimba manje anamandla okusebenzisa izikhala zamagama nemisebenzi engaziwa;
- Kwengezwe izithonjana ezintsha eziyi-13.
Ukwengeza, ungasho ubungozi obubalulekile ku-plugin ye-WordPress (CVE-2019-11185). Ukuba sengozini kuvumela ikhodi ye-PHP engafanele ukuthi isetshenziswe kuseva. I-plugin isetshenziswa kumasayithi angaphezu kwezinkulungwane ezingama-27 ukuhlela ingxoxo yokuxhumana nesivakashi, okuhlanganisa nezingosi zezinkampani ezifana ne-IKEA, Adobe, Huawei, PayPal, Tele2 kanye ne-McDonald's (Ingxoxo Ebukhoma ivamise ukusetshenziselwa ukusebenzisa i-pop-up ecasulayo. izingxoxo kumasayithi enkampani anezipesheli xoxa nomsebenzi).
Inkinga izibonakalisa kukhodi yokulayisha amafayela kuseva futhi ikuvumela ukuthi udlule isheke lezinhlobo zamafayela avumelekile futhi ulayishe iskripthi se-PHP kuseva, bese usenza ngokuqondile ngewebhu. Kuyathakazelisa ukuthi ngonyaka odlule ubungozi obufanayo bese buvele buhlonzwe ku-Live Chat (CVE-2018-12426), obuvumele ukulayisha ikhodi ye-PHP ngaphansi kwesithunzi sesithombe, okucacisa uhlobo lokuqukethwe oluhlukile kunkambu yohlobo lokuqukethwe. Njengengxenye yokulungisa, ukuhlola okwengeziwe kungeziwe ohlotsheni olugunyaziwe kanye nohlobo lokuqukethwe lwe-MIME. Njengoba kuvela, lokhu kuhlola akwenziwa ngokungalungile futhi kungadlulwa kalula.
Ikakhulukazi, ukulayishwa okuqondile kwamafayela ngesandiso esithi β.phpβ akuvunyelwe, kodwa isandiso esithi β.phtmlβ, esihlotshaniswa nomhumushi we-PHP kumaseva amaningi, asizange sengezwe ohlwini oluvinjelwe. Uhlu olugunyaziwe luvumela kuphela ukulayishwa kwezithombe, kodwa ungakwazi ukukweqa ngokucacisa isandiso esikabili, isibonelo, β.gif.phtmlβ. Ukuze udlule isheke lohlobo lwe-MIME ekuqaleni kwefayela, ngaphambi kokuvula ithegi ngekhodi ye-PHP, kwanele ukucacisa umugqa "GIF89a".
Source: opennet.ru