Farawa daga Berlin ya bayyana yanayin rauni na lambar zartarwa (RCE) da kuma rubutun giciye (XSS) aibi a cikin Pling, wanda aka yi amfani dashi a cikin kundin adana aikace-aikace daban-daban waɗanda aka gina akan wannan dandamali kuma wanda zai iya ba da izinin aiwatar da lambar JavaScript a cikin yanayin sauran masu amfani. Shafukan da abin ya shafa wasu manyan kundin adireshi ne na aikace-aikacen kayan aikin kyauta kamar su store.kde.org, appimagehub.com, gnome-look.org, xfce-look.org, pling.com da sauransu.
Positive Security, wanda ya gano ramuka, ya ce har yanzu kwari suna nan a cikin lambar ta Pling kuma masu kula da ita ba su amsa rahoton rashin lafiyar ba.
A farkon wannan shekarar, mun kalli yadda mashahuran aikace-aikacen tebur ke ɗaukar URIs mai amfani kuma mun sami raunin aiwatar da lambar a yawancin su. Ofaya daga cikin aikace-aikacen da na bincika shine KDE Discover App Store, wanda ya juya don ɗaukar URI mara amana ta hanyar tsaro (CVE-2021-28117, KDE Security Advisory).
A kan hanya, da sauri na sami mawuyacin rauni da yawa a cikin sauran kasuwannin software na kyauta.
XSS mai wahala tare da yiwuwar kai hare-hare a cikin kasuwanni na tushen Pling da har yanzu-ana iya amfani da rukiyoyin-ta RCE wanda ya shafi masu amfani da aikace-aikacen PlingStore.
Pling yana gabatar da kanta a matsayin kasuwa don masu kirkira don loɗa jigogi da zane-zane Kwamfutar Linux, a tsakanin sauran abubuwa, da fatan samun ɗan fa'ida daga magoya baya. Ya zo cikin sassa biyu: lambar da ake buƙata don gudanar da kasuwar bazara da aikace-aikacen tushen Electron wanda masu amfani zasu iya girkawa don gudanar da jigogin su daga Pling souk. Lambar gidan yanar gizo tana da XSS kuma abokin ciniki yana da XSS da RCE. Pling yana amfani da shafuka da yawa, daga pling.com da store.kde.org zuwa gnome-look.org da xfce-look.org.
Jigon matsalar shine dandalin Pling yana ba da damar ƙarin abubuwa masu yawa a cikin tsarin HTML, misali, don saka bidiyo ta YouTube ko hoto. Lambar da aka kara ta hanyar hanyar ba ta inganta ba daidai, menene ba ka damar ƙara lambar ƙira a ƙarƙashin sunan hoto kuma sanya bayanai a cikin kundin adireshin da lambar JavaScript zata aiwatar idan aka kalleshi. Idan za a buɗe bayanin ga masu amfani waɗanda ke da asusu, to yana yiwuwa a fara aiwatar da ayyuka a cikin kundin adireshin a madadin wannan mai amfani, gami da ƙara kiran JavaScript zuwa shafukan su, aiwatar da wani nau'in tsutsa na cibiyar sadarwa.
Bugu da ƙari, an gano yanayin rauni a cikin aikace-aikacen PlingStore, an rubuta ta amfani da dandamalin Electron da kuma ba ka damar yin tafiya ta cikin kundin adireshi na OpenDesktop ba tare da mai bincike ba kuma shigar da fakitin da aka gabatar a can. Wani rauni a cikin PlingStore yana bawa lambar sa damar gudana akan tsarin mai amfani.
Lokacin da aikace-aikacen PlingStore ke gudana, aikin ocs-manager ana ci gaba da farawa, karɓar haɗin gida ta hanyar WebSocket da kuma yin umarni masu gudana kamar lodawa da ƙaddamar aikace-aikace a cikin tsarin AppImage. Ya kamata aikace-aikacen PlingStore su watsa umarni, amma a zahiri, saboda ƙarancin tabbatarwa, ana iya aika buƙata zuwa ocs-manajan daga burauzar mai amfani. Idan mai amfani ya buɗe mummunan shafin, zasu iya fara haɗi tare da ocs-manager kuma suna da lambar aiki akan tsarin mai amfani.
Hakanan an bayar da rahoton yanayin rauni na XSS a cikin kundin adireshin extres.gnome.org; A cikin filin tare da URL na shafin gida na plugin, zaku iya tantance lambar JavaScript a cikin tsarin "javascript: lambar" kuma lokacin da kuka danna mahaɗin, za a ƙaddamar da takamaiman JavaScript maimakon buɗe shafin aikin.
A gefe guda, matsalar ita ce karin hasashe, Tunda wuri ne a cikin kundin adireshin extensions.gnome.org ana daidaita shi kuma harin yana buƙatar ba wai kawai buɗe wani shafi ba, har ma da bayyane danna kan mahaɗin. A gefe guda, yayin tabbatarwa, mai gudanarwa na iya son zuwa shafin aikin, watsi da hanyar haɗin yanar gizon, kuma gudanar da lambar JavaScript a cikin yanayin asusun su.
A ƙarshe, idan kuna da sha'awar sanin ƙarin abubuwa game da shi, kuna iya tuntuɓar cikakkun bayanai a cikin mahaɗin mai zuwa.