Kutshanje iindaba ziye zaqhekeka ndifumene i-vector entsha yokuhlasela ngokuchasene ne-Apache http server, Ehlala ingafakwanga kuhlaziyo lwe-2.4.50 kwaye ivumela ukufikelela kwefayile kwiindawo ezingaphandle kwesikhombisi sengcambu.
Ukongeza, abaphandi Ndiyifumene indlela yokuba, phambi koqwalaselo oluthile engaqhelekanga, ayifunde kuphela iifayile zenkqubo, kodwa zibaleke ukude ikhowudi yakho kwiserver.
I-CVE-2021-41773 kwi-Apache HTTP Server 2.4.50 yayingonelanga. Umhlaseli unokusebenzisa indlela ehlaselayo yokuhamba kwimephu ye-URL kwiifayile ezingaphandle kwemikhombandlela equlunqwe yimikhombandlela efana neAliases. Ukuba iifayile ezingaphandle kwezi zikhombisi azikhuselwanga ngokusilelayo kwesiqhelo "zifuna konke ukwaliwa" useto, ezi zicelo zingaphumelela. Ukuba izikripthi zeCGI zinikwe amandla kwezi patches zibekiweyo, oku kunokuvumela ukwenziwa kwekhowudi ekude. Lo mbandela uchaphazela kuphela i-Apache 2.4.49 kunye ne-Apache 2.4.50 hayi iinguqulelo zangaphambili.
Kwimeko, ingxaki entsha (esele idwelisiwe njenge-CVE-2021-42013) Iyafana ngokupheleleyo nokuba sesichengeni kwasekuqaleni (CVE-2021-41773) kwi-2.4.49, umahluko kuphela kukudibanisa iikhowudi zomlinganiswa owahlukileyo.
Kwaye ngokukodwa, Kwinguqulelo 2.4.50 ithuba lokusebenzisa ulandelelwano "% 2e" lali valiwe ukufaka ikhowudi kwinqanaba, kodwa eweUlahlekelwe lithuba lokufaka iikhowudi kabini: Xa ucacisa ulandelelwano "%% 32% 65", iseva yafakwa ikhowudi kwi "% 2e", emva koko yangena ku ".", Oko kukuthi oonobumba "../" ukuya kulawulo oludlulileyo banokufakwa ikhowudi njenge ". %% 32% 65 / ».
Zombini ii-CVEs ziphantse zayindlela efanayo yokuwela emngciphekweni (okwesibini kukulungiswa okungagqibelelanga kowokuqala). Ukuhamba kwendlela kusebenza kuphela kwi-URI yemephu (umzekelo, nge-Apache "Alias" okanye imiyalelo ye "ScriptAlias"). UxwebhuRoot kuphela alwanele
Ngokumalunga nokuxhaphaza ukuba sesichengeni ngokusebenzisa ikhowudi, oku kunokwenzeka ukuba mod_cgi yenziwe kwaye indlela esisiseko isetyenziselwa apho izikripthi ze-CGI zivunyelwe ukuba zisebenze (umzekelo, ukuba isikhokelo se-ScriptAlias senziwe sasebenza okanye iflegi ye-ExecCGI icacisiwe kwisikhokelo sokhetho).
Kukhankanyiwe ukuba into efunekayo kuhlaselo oluyimpumelelo ikwabonelela ngokucacileyo kulungelelwaniso lokufikelela kwe-Apache kwimikhombandlela eneefayile ezisebenzayo, ezinje nge / bin, okanye ukufikelela kwingcambu ye-FS "/". Kuba ukufikelela okunjalo akuqhelekanga kubonelelwa, uhlaselo lokuqhutywa kwekhowudi alusebenzi kangako kwiinkqubo zokwenyani.
I-RCE ixhaphaza zombini i-Apache 2.4.49 (CVE-2021-41773) kunye ne-2.4.50 (CVE-2021-42013):
ingcambu @ CT406: ~ # curl 'http://192.168.0.191/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.% % 32% 65 / bin / sh '–data' echo Uhlobo-lwesiqulatho: isicatshulwa / icacile; waphosa ngaphandle; hamba '
uid = 1 (daemon) gid = 1 (daemon) amaqela = 1 (daemon)-I-Román Medina-Heigl Hernández (@roman_soft) Oktobha 7, 2021
Kwangelo xesha uhlaselo lokufumana umxholo wefayile iikhowudi zenkqubo yokuchasana kunye nemithombo yolwazi yeempendulo zewebhu ziyafumaneka xa kufundwa umsebenzisi phantsi kweseva esebenza kuyo i-http isasebenza. Ukuqhuba olo hlaselo, yenza nje isikhombisi kwisiza esimiselweyo usebenzisa i "Alias" okanye "iScriptAlias" imiyalelo (i-DocumentRoot ayonelanga), njenge "cgi-bin".
Ukongeza koku, ukhankanya ukuba ingxaki ikakhulu ichaphazela ukuhanjiswa okuhlaziywa ngokuqhubekayo (iiRolling Releases) ezinje ngeFedora, Arch Linux kunye neGentoo, kunye namazibuko eFreeBSD.
Ngelixa ulwabiwo lweLinux olusekwe kumasebe azinzileyo okusasazwa kweseva njengeDebian, iRHEL, Ubuntu kunye ne-SUSE abasemngciphekweni. Ingxaki ayiveli ukuba ukufikelela kwimikhombandlela kuyaliwa ngokucacileyo usebenzisa »kufuna konke ukwaliwa« ukuseta.
Kukwafanelekile ukukhankanya loo nto Ngo-Okthobha u-6-7, i-Cloudflare irekhode ngaphezulu kwe-300 yemizamo yokuxhaphaza ubungozi CVE-2021-41773 ngosuku. Uninzi lwexesha, ngenxa yohlaselo oluzenzekelayo, bacela umxholo we "/cgi-bin/.%2e/.git/config", "/cgi-bin/.%2e/app/etc/local.xml "," /Cgi-bin/.
Ingxaki ibonakalisa kuphela kwiinguqulelo 2.4.49 kunye no-2.4.50, iinguqulelo zangaphambili zomngcipheko azichaphazeleki. Ukulungisa umahluko omtsha wokuba sesichengeni, ukukhutshwa kwe-Apache httpd 2.4.51 kwakhiwa ngokukhawuleza.
Gqibela Ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.