Ubuthakathaka emtatsheni wezincwadi we-PharStreamWrapper buyathinta Drupal, Joomla kanye ne-Typo3

Emtatsheni wezincwadi I-PharStreamWrapper, ehlinzeka ngezibambi ukuvikela kuzo ebambe ukuhlasela ngokufaka esikhundleni sefayela ngefomethi ethi “Phar”, ikhonjiwe ukuba sengozini (I-CVE-2019-11831), okukuvumela ukuthi udlule ukuvikelwa kwekhodi deerialization ngokufaka esikhundleni ".." izinhlamvu endleleni. Isibonelo, umhlaseli angasebenzisa i-URL efana nokuthi “phar:///path/bad.phar/../good.phar” ukuze ahlasele, futhi ilabhulali izogqamisa igama lesisekelo elithi “/path/good.phar” uma ukuhlola, nakuba lapho kuqhubeka ukucubungula indlela enjalo Ifayela elithi "/path/bad.phar" lizosetshenziswa.

Umtapo wolwazi wasungulwa ngabadali be-CMS TYPO3, kodwa futhi usetshenziswa kumaphrojekthi Drupal и Joomla, okubenza nabo babe sengozini. Inkinga ixazululiwe ekukhishweni I-PharStreamWrapper 2.1.1 kanye ne-3.1.1. Iphrojekthi Drupal Kulungiswe inkinga kuzibuyekezo 7.67, 8.6.16 kanye no-8.7.1. Joomla Inkinga ibilokhu ikhona kusukela kunguqulo 3.9.3 futhi yalungiswa ekukhishweni 3.9.6. Ukuze ulungise inkinga ku-TYPO3, udinga ukubuyekeza umtapo wezincwadi we-PharStreamWapper.

Ngokombono ongokoqobo, ubuthakathaka ku-PharStreamWapper buvumela umsebenzisi Drupal I-Core, enamalungelo e-'Administer theme', ilayisha ifayela le-phar elinonya futhi isebenzise ikhodi ye-PHP equkethwe ngaphakathi, efihliwe njengengobo yomlando ye-phar esemthethweni. Njengesikhumbuzo, ukuhlaselwa kwe-"Phar deserialization" kusebenza ngokuzenzakalelayo ngokukhipha i-metadata kusuka kumafayela e-Phar (PHP Archive) lapho kuhlolwa amafayela osizo alayishiwe womsebenzi we-PHP i-file_exists() lapho kucutshungulwa izindlela eziqala ngo-"phar://." Ukudlulisa ifayela le-phar njengesithombe kungenzeka, njengoba i-file_exists() inquma uhlobo lwe-MIME ngokusekelwe kokuqukethwe kwefayela, hhayi isandiso salo.

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster