Pakupera kwemwedzi wapfuura nhau dzakabvaruka dzekuti muyeraki akanganisa server yaishandiswa kugovera mutauro wechirongwa PHP uye ndokuwedzera backdoor kune iro kodhi kodhi izvo zvingadai zvakasiya mawebhusaiti ari panjodzi yekutora zvizere, nhengo dzeyakavhurika sosi chirongwa chakati
Dambudziko rakasimudzwa mumishumo miviri yakatumirwa kune iyo PHP Git server mukati mevhiki yaKurume 27 umo vakawedzera mutsetse uyo, kana uchimhanyiswa newebsite inofambiswa neiyi yakabiwa vhezheni yePHP, ingadai yakabvumidza vashanyi vasina mvumo kumhanyisa kodhi yezvavanoda.
Izvo zvakashata commits zvakapa kodhi kugona kubaya kodhi kune vashanyi vaive neshoko rekuti "zerodium" mune musoro weHTTP. Izvo zvakaitwa zvakagadzirwa mu php-src repository pasi pemazita e account yevaizivikanwa vaviri PHP vagadziri, Rasmus Lerdorf naNikita Popov.
Mushure mekubatanidzwa, Popov akatsanangura kuti vakuru vePHP vakagumisa kuti yavo Git zvivakwa independiente yaimiririra njodzi isingakoshi yekuchengetedza.
Semagumo, ndafunga kuvhara iyo git.php.net server uye ita GitHub sosi yepamutemo kubva kuPHP zvinyorwa. Mune ramangwana, shanduko dzese kuPHP kodhi kodhi ichaitwa yakananga kuGitHub pane git.php.net.
PHP muchengeti Nikita Popov akaburitsa gadziriso yekuti kodhi yekodhi yakaiswa sei uye kodhi yakaipa yakaiswa, ichipomera dhatabhesi revashandisi kudonhedza pane dambudziko padanho chairo.
Chikwata pakutanga chaitenda kuti sevha yaibata dura yakanga yabiwa, asi muchinyorwa chitsva, Popov akati:
“Hatichadaviri kuti server ye git.php.net yakanganiswa. Zvisinei, zvinokwanisika kuti dhatabhesi yemushandisi master.php.net yakaburitswa ". Zvakare, master.php.net yakaendeswa kune nyowani main.php.net system.
Heano mamwe mashoko Popov akapa nezve kufambira mberi kwekuferefeta:
"Pakasimbiswa zvakashata pekutanga pasi pezita raRasmus, maitiro angu ekutanga aive ekushandura shanduko uye kubvisa mukana wechivimbiso kubva kuaccount yaRasmus, ndichifunga kuti anga ari munhu akabira account. Mukufunga kumashure, ichi chiito hachina kunyatsoita musoro, nekuti hapana Push yaiitika kuburikidza nenhoroondo yaRasmus kunyanya. Chero account ine mukana weiyo php-src repository inogona kunge yakatumira pasi pezita rekunyepedzera.
“Pakaitwa chisungo chechipiri pasi pezita rangu, ndakatarisa matanda edu ekuisa gitolite kuti ndione kuti ndeipi account yainyanyo shandiswa kuendesa. Nekudaro, kunyangwe hazvo zvese zviri padhuze zvakaverengerwa, pakanga pasina git-yekugamuchira-kurongedza zvakapinda zvezvinhu zviviri zvakaipa, zvichireva kuti izvi zviviri zvaipfuura zvakapfuura iyo gitolite zvivakwa zvachose. Izvi zvakadudzirwa sehumwe humbowo hunogona kuve hwekusagadzikana pachibvumirano.
Zviito zvakatorwa izvozvi zvinosanganisira kuseta rese mapassword uye gadzirisa kodhi kuti ushandise yakatarwa mibvunzo kuti udzivirire pakurwiswa kwejekiseni reSQL.
Kushandisa mibvunzo yakagadziriswa yave iri tsika yakanyanya kukurudzirwa kwemakore mazhinji, uye chokwadi chekuti kodhi yanga isiri kumhanya kwenguva refu mumoyo weiyo PHP sosi yekodhi yezvivakwa inoratidza chete kuti isina kuchengetedzeka kodhi yenhaka iri musangano kana iri kushanda uye kwete kukonzera matambudziko ari pachena.
Iyo master.php.net system, iyo inoshandiswa kusimbisa uye akasiyana mabasa ehutariri, Ini ndanga ndichimhanyisa kodhi yekare pane yekare kwazvo PHP vhezheni / OS saka imwe mhando yekunetseka haizoshamisi. Mamaneja ekugadzirisa akaita shanduko dzinoverengeka kuwedzera kuchengetedzwa kwesisitimu iyi:
- master.php.net yakaendeswa kune nyowani system (inomhanya PHP 8) uye main.php.net yakapihwa zita panguva imwe chete. Pakati pezvimwe zvinhu, iyo nyowani system ndeye TLS 1.2 inoenderana, zvinoreva kuti haufanire kuona yambiro yeTLS vhezheni kana uchiwana saiti ino.
- Iko kumisikidza kwaendeswa kune kushandisa parameterized mibvunzo, kuona kuti SQL jekiseni haigone kuitika.
- Password izvozvi zvakachengetwa uchishandisa bcrypt.
- Mapassword aripo akagadziriswa (shandisa main.php.net/forgot.php kuburitsa imwe nyowani).
mabviro: https://externals.io