Drupal Symfony×é¼þ·ì϶°²È«¹«¸æ

°ä²¼¹¦·ò 2018-08-07

·ì϶±àºÅºÍ¼¶±ð

 

CVE-2018-14773 ¸ß CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

 

Ó°Ïì°æ±¾

 

Drupal < 8.5.6Symfony 2.7.0ÖÁ2.7.48£¬2.8.0ÖÁ2.8.43£¬3.3.0ÖÁ3.3.17£¬3.4.0ÖÁ3.4.13£¬4.0.0ÖÁ4.0.13£¬4.1.0ÖÁ4.1.2°æ±¾Symfony HttpFoundation×é¼þÊÜ´Ë°²È«ÎÊÌâµÄÓ°Ïì¡£

 

·ì϶¸ÅÊö

 

Symfony HttpFoundation×é¼þÊÇDrupal CoreÖÐʹÓõĵÚÈý·½¿â£¬¸Ãȱµã»áÓ°Ïì8.5.6֮ǰµÄDrupal 8.x°æ±¾¡£SymfonyÊǺܶàÏîÄ¿ÔÚʹÓõÄWebÀûÓ÷¨Ê½¿ò¼Ü£¬ÕâÒâζ×ÅCVE-2018-14773·ì϶¿ÉÄÜ»áÓ°Ïì´óÁ¿WebÀûÓ÷¨Ê½¡£

 

¸ÃȱµãÊÇÓÉÓÚSymfonyÖ§³ÖÒÅÁôºÍΣÏÕµÄHTTP±êÍ·¡£

 

Ô¶³Ì¹¥»÷Äܹ»Í¨¹ýʹÓÃÌØÔìµÄ¡°X-Original-URL¡±»ò¡°X-Rewrite-URL¡±HTTP±êÍ·Ö·´´¥·¢¸Ãȱµã¡£

 

DrupalÊØ»¤ÕßÒ²·¢ÏÖÁËÒ»¸öÀàËƵÄÎÊÌ⣬ӰÏìÁËDrupal CoreÖÐʹÓõĠ Zend Feed  ºÍ Diactoros ¿â¡£ÕâЩ¿âÊܵ½¡°URL³Áд·ì϶¡±µÄÓ°Ï죬ÎÞÂÛÈôºÎ£¬DrupalÍŶÓÈ·ÈÏ  Drupal Core²»Ê¹ÓÃÒ×Êܹ¥»÷µÄÖ°ÄÜ¡£

 

ʹÓÃZend Feed»òDiactorosµÄÍøÕ¾µÄÖÎÀíÔ±±ØÒª¾¡¿ì½¨²¹ËüÃÇ¡£ÔÚºÚ¿ÍÆðÍ·ÀûÓÃCVE-2018-14773·ì϶֮ǰ£¬DrupalÖÎÀíÔ±±ØÒª´¹Î£½¨²¹ËûÃǵÄ×°Öá£

 

GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾

 

½¨¸´½¨Ò飺

 

Õâ¸ö·ì϶ÒÑÔÚSymfony°æ±¾2.7.49£¬2.8.44£¬3.3.18£¬3.4.14£¬4.0.14ºÍ4.1.3Öн¨¸´£¬DrupalÒÑÔÚÆä×îа汾8.5.6Öн¨²¹Á˸ÃÎÊÌâ¡£

 

https://www.drupal.org/SA-CORE-2018-005

https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b

²Î¿¼Á´½Ó£º

https://www.securityfocus.com/bid/104943/references

https://www.drupal.org/SA-CORE-2018-005

https://www.drupalcenter.de/aggregator/categories/7

https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers