I-Snuffleupagus, imodyuli enhle kakhulu yokuvimba ukuba sengozini kuzinhlelo zokusebenza ze-PHP

Darkcrizt

Imizuzu ye-4

Uma ungunjiniyela wewebhu, le ndatshana ingahle ibe nentshisekelo kuwe ngoba kuyo sizokhuluma kancane ngale phrojekthi Isnuffleupagus, okuyinto ihlinzeka ngemodyuli kutolika we-PHP ukukhulisa ukuphepha kwemvelo futhi uvimbele amaphutha ajwayelekile aholela ekubeni sengozini ekwenzeni izinhlelo ze-PHP.

Le module Yenzelwe ngendlela ethakazelisa kakhulu, kusukela wandisa ngokuphawulekayo umsebenzi okumele kwenziwe ukuze ukwazi ukuphumelela ekuhlaselweni kumawebhusayithi, ngokususa wonke amakilasi amaphutha. Futhi inikeza uhlelo olunamandla lwe-patch ebonakalayo, evumela umphathi ukuthi alungise ubuthakathaka obuthile futhi ahlole ukusebenza okusolisayo ngaphandle kokuthinta ikhodi ye-PHP.

Mayelana ne-Snuffleupagus

Isnuffleupagus ibonakala ngokuhlinzeka ngohlelo lwemithetho evumela ukusebenzisa womabili amathempulethi ajwayelekile ukwandisa ukuvikelwa nokwakha imithetho yakho ukulawula idatha yokufaka kanye nemingcele yokusebenza.

Futhi inikeza izindlela ezakhelwe ngaphakathi zokuvimba amakilasi okuba sengozini njengezinkinga ezihlobene nokwenza i-serialization yedatha, ukusetshenziswa okungavikelekile komsebenzi we-imeyili we-PHP (), ukulahleka kokuqukethwe kwamakhukhi ngesikhathi sokuhlaselwa kwe-XSS, izinkinga ngenxa yokulanda amafayela anekhodi ephumelelayo (ngokwesibonelo, ngefomethi ye-phar), Ukufakwa kwezakhi ze-XML Engalungile.

Imodyuli nayo iyakuvumela ikuvumela ukuthi udale ama-virtual patches kumphathi wewebhusayithi ukulungisa izinkinga ezithile ngaphandle kokushintsha ikhodi yomthombo wohlelo lokusebenza isengozini, efanele ukusetshenziswa ezinhlelweni zokubamba ngobuningi lapho kungenakwenzeka ukugcina zonke izinhlelo zokusebenza zomsebenzisi zisesikhathini.

Izindleko ezijwayelekile zezinsizakusebenza ezitholakala ekusebenzeni kwemodyuli zilinganiselwa njengobuncane. Imodyuli ibhalwe ngolimi lwe-C, ixhunywe ngendlela yelabhulali eyabiwe kufayela elithi "php.ini".

Ezinketho zokuphepha ezinikezwa yiSnuffleupagus, okulandelayo kugqame:

  • Ukufakwa okuzenzakalelayo kwamafulegi "aphephile" nethi "samesite" (ukuvikela i-CSRF) kumakhukhi, ukubethela kwamakhukhi
  • Isethi yemithetho eyakhelwe ngaphakathi yokukhomba imikhondo yokuhlaselwa kanye nokufaka izicelo engozini.
  • Ukufakwa okuphoqiwe komhlaba wonke kwemodi eqinile "eqinile" ngokwesibonelo evimba umzamo wokucacisa intambo ngenkathi kulindwe inani eliphelele njengengxabano nokuvikelwa ekukhohlisweni kohlobo.
  • Ukuvinjelwa okuzenzakalelayo kwe-protocol wrappers (isibonelo, i- "phar: //" ban) ngemvume yakho ecacile yohlu olumhlophe.
  • Ukuvinjelwa kokwenza amafayela abhaliwe.
  • Izinhlu ezimnyama nezimhlophe ze-eval.
  • Inika amandla ukuqinisekiswa okuyimpoqo kwesitifiketi se-TLS lapho usebenzisa i-curl.
  • Faka i-HMAC kuzinto ezi-serial ukuze uqinisekise ukuthi ukwenziwa kwe-deserialization kuthola idatha egcinwe uhlelo lokusebenza lokuqala.
  • Cela imodi yokubhalisa.
  • Vimba ukulayishwa kwamafayela angaphandle ku-libxml usebenzisa izixhumanisi kumadokhumenti e-XML.
  • Amandla wokuxhuma abashayeli bangaphandle (upload_validation) ukuqinisekisa nokuskena amafayela alandiwe.
  • Qinisekisa ukuqinisekiswa kwesitifiketi se-TLS lapho usebenzisa i-curl
  • Cela umthamo wokulanda
  • Isisekelo sekhodi esinempilo
  • Iphakheji yokuhlola ephelele enokusabalala okucishe kube ngu-100%
  • Ukuzibophezela ngakunye kuhlolwe ekusatshalalisweni okuningi

Imininingwane eyengeziwe

Njengamanje le module isenguqulweni yayo engu-0.5.1 futhi kugqame kuyo a ukusekelwa okungcono kwe-PHP 7.4 futhi kwenziwa ukuhambisana negatsha le-PHP 8 (okwamanje elisaqhubeka).

Ngaphandle kwalokho isethi yemithetho emisiwe ibuyekeziwe nokuthi kuyini kungezwe imithetho emisha ngokuba sengozini namasu amasha okuhlasela izinhlelo zewebhu

Ungayifaka kanjani iSnuffleupagus kuLinux?

Okokugcina kulabo abanentshisekelo yokukwazi ukuzama le module ekuhlolweni kwe-pentest kwezinhlelo zakho zokusebenza ukuze kuthuthukiswe ukuphepha kwazo noma ukuze kwandiswe ukuphepha kwezinhlelo zakho zokusebenza.

Okufanele bakwenze ukuya kuwebhusayithi esemthethweni yemodyuli kanye esigabeni sakho sokulanda Uzokwazi ukuthola imiyalo yokunye ukusatshalaliswa kweLinux, isixhumanisi yilokhu.

Noma, futhi bangakhetha ukufaka kusuka kukhodi yomthombo, ngalokhu bangalandela imiyalo okuningiliziwe kulesi sixhumanisi.

Okokugcina, uma ufuna ukwazi kabanzi ngakho, funda imibhalo noma uthole ikhodi yomthombo ukuze ibuyekezwe, ungakwenza lokho. kusuka kulesi sixhumanisi.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.