I-Snuffleupagus, imodyuli efanelekileyo yokuthintela ubungozi kwizicelo ze-PHP

Darkcrizt

Imizuzu ye4

Ukuba ungumphuhlisi wewebhu, mhlawumbi eli nqaku liza kuba ngumdla kuwe kuba kuyo siza kuthetha kancinci malunga neprojekthi Isnuffleupaguseyiphi ibonelela ngemodyuli kwitoliki ye-PHP ukwandisa ukhuseleko kwindalo esingqongileyo kwaye uvimbele iimpazamo eziqhelekileyo ezikhokelela ekubeni sesichengeni ekuphunyezweni kwezicelo ze-PHP.

Le modyuli Yenziwe ngendlela enomdla kakhulu, ukususela ngoku uwonyusa ngokumangalisayo umsebenzi Yintoni ekufuneka yenziwe ukwazi ukuphumelela kuhlaselo oluchasene neewebhusayithi, ngokususa iindidi zonke zeempazamo. Kwakhona ibonelela ngenkqubo enamandla yenqanawa, evumela umphathi ukuba alungise ubuthathaka obuthile kunye nokuphicothwa kokuziphatha okukrokrelayo ngaphandle kokuchukumisa ikhowudi ye-PHP.

Malunga ne-Snuffleupagus

Isnuffleupagus ibonakaliswa ngokubonelela ngenkqubo yemigaqo evumela ukusebenzisa zombini iitemplate eziqhelekileyo ukwandisa ukhuseleko kunye nokwenza eyakho imithetho yokulawula idatha yegalelo kunye neeparameter zomsebenzi.

Kwakhona ibonelela ngeendlela ezakhelweyo ngaphakathi zokuthintela ukuba semngciphekweni kweeklasi ezinje ngeengxaki ezinxulumene nokwenziwa kwedatha ngokulandelelana, ukusetyenziswa ngokungakhuselekanga kweposi ye-PHP (), ukulahleka komxholo wecookie ngexesha lokuhlaselwa kweXSS, iingxaki ngenxa yokukhuphela iifayile ezinekhowudi enokufezekiswa (umzekelo, kwifomathi ye-phar), Ukufakwa endaweni kweXML engachanekanga.

Imodyuli iyakuvumela ikuvumela ukuba wenze iipatches ezibonakalayo kumlawuli wewebhusayithi ukulungisa iingxaki ezithile ngaphandle kokutshintsha ikhowudi yemvelaphi yesicelo sesichengeni, esilungele ukusetyenziswa kwiinkqubo zokubamba ngobuninzi apho kungenakwenzeka ukugcina zonke izicelo zomsebenzisi zihlaziyiwe.

Inkcitho ngokubanzi yezixhobo ezivela kwimodyuli iqikelelwa njengeyona incinci. Imodyuli ibhalwe ngolwimi lweC, Idityaniswe ngendlela yethala leencwadi ekwabelwana ngalo kwifayile "php.ini".

Kukhetho lokhuseleko olunikezelwa yiSnuffleupagus, oku kulandelayo kuvela:

  • Ukufakwa ngokuzenzekelayo kweflegi "ekhuselekileyo" kunye ne "samesite" (ukukhuselwa kwi-CSRF) yeicookies, ukubethela kwecookie.
  • Imithetho eyakhelwe-ngaphakathi yokuchonga umkhondo wohlaselo kunye nokusetyenziswa kwezicelo.
  • Ukunyanzelwa kokubandakanywa kwehlabathi kwimowudi engqongqo "engqongqo" ethi ibhlokhe ukuzama ukubalula umtya ngelixa ulinde inani elipheleleyo njengengxoxo kunye nokukhuselwa kuhlobo lolungiso.
  • Ukubhloka okungagqibekanga kwesisongeli somgaqo (umzekelo, i "phar: //" ban) kunye nemvume yakho ecacileyo emhlophe.
  • Uthintelo lokwenza iifayile ezibhalekayo.
  • Uluhlu oluMnyama nolumhlophe lwe-eval.
  • Ukwenza ukuqinisekiswa okugunyazisiweyo kwesatifikethi se-TLS xa usebenzisa i-curl.
  • Yongeza i-HMAC kwizinto ezilandelelweyo ukuze kuqinisekiswe ukuba ukungafuneki kubuyisa idatha egcinwe sisicelo sokuqala.
  • Cela imo yobhaliso.
  • Vimba ukulayishwa kwefayile yangaphandle kwi-libxml usebenzisa amakhonkco kumaxwebhu eXML.
  • Amandla okudibanisa abaqhubi bangaphandle (upload_validation) ukuqinisekisa kunye nokuskena iifayile ezikhutshelweyo.
  • Nyanzelisa isiqinisekiso se-TLS xa usebenzisa i-curl
  • Cela umthamo wokukhuphela
  • Isiseko sekhowudi esempilweni
  • Iphakheji yovavanyo olupheleleyo kufutshane ne-100% yokugubungela
  • Isibophelelo ngasinye sivavanywa kunikezelo oluninzi

Ulwazi olongezelelekileyo

Okwangoku le modyuli ikwinguqulelo yayo engu-0.5.1 kwaye kuma kuyo a Inkxaso engcono ye-PHP 7.4 kunye nokumiliselwa kokuhambelana nesebe le-PHP 8 (ngoku eliphantsi kophuhliso).

ngaphandle koko iseti yomgaqo emiselweyo ihlaziyiwe nakwintoni kongezwe imithetho emitsha yobuthathaka obutsha obutsha kunye neendlela zokuhlasela usetyenziso lwewebhu.

Uyifaka njani iSnuffleupagus kwiLinux?

Gqibela kwabo banomdla wokuzama ukuzama le modyuli kuvavanyo lwepentest lwezicelo zakho ukuze kuphuculwe ukhuseleko lwazo okanye ukwandisa ukhuseleko lwezicelo zakho.

Into ekufuneka beyenzile kukuya kwiwebhusayithi esemthethweni yemodyuli kunye kwicandelo lakho lokukhuphela Uyakwazi ukufumana imiyalelo yolunye ulwahlulo olwahlukileyo lweLinux, ikhonkco yile.

Nangona, Banokukhetha ukufaka kwikhowudi yemvelaphi, Ngale nto banokulandela imiyalelo eyiyo icacisiwe kule khonkco.

Okokugqibela kodwa kungaphelelanga apho, ukuba ufuna ukwazi ngakumbi ngayo, funda amaxwebhu okanye ufumane ikhowudi yemvelaphi yokuphononongwa, ungakwenza oko. kule khonkco.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.