Kuseva ye-http (nhttpd) ukuba sengozini
(CVE-2019-16278), evumela umhlaseli ukuthi asebenzise ikhodi ekude kuseva ngokuthumela isicelo esiklanywe ngokukhethekile se-HTTP. Inkinga izolungiswa ekukhishweni (ayikashicilelwa okwamanje). Uma ubheka ngolwazi oluvela kunjini yokusesha yakwaShodan, iseva ye-Nostromo http isetshenziswa cishe kubabungazi abangu-2000 abafinyeleleka esidlangalaleni.
Ukuba sengozini kubangelwa iphutha kumsebenzi we-http_verify, ogeja ukufinyelela kokuqukethwe kwesistimu yefayela ngaphandle kohlu lwemibhalo oluyimpande yesayithi ngokudlulisa ukulandelana kokuthi ".%0d./" endleleni. Ukuba sengozini kwenzeka ngoba ukuhlola ubukhona bezinhlamvu ze-β../β kwenziwa ngaphambi kokuba umsebenzi wokwenza umzila ube ubejwayelekile, lapho kukhishwa khona izinhlamvu zomugqa omusha (%0d) kuyunithi yezinhlamvu.
Ukuze ukuba sengozini, ungakwazi ukufinyelela ku-/bin/sh esikhundleni sombhalo we-CGI futhi wenze noma isiphi isakhiwo segobolondo ngokuthumela isicelo se-POST ku-URI β/.%0d./.%0d./.%0d./.%0d./bin /sh" kanye nokudlulisa imiyalo emzimbeni wesicelo. Kuyathakazelisa ukuthi ngo-2011, ubungozi obufanayo (i-CVE-2011-0751) bese buvele bulungisiwe e-Nostromo, okuvumela ukuhlaselwa ngokuthumela isicelo "/..%2f..%2f..%2fbin/sh".
Source: opennet.ru