Kutanga kubva kuBerlin yakaratidza kuregedza kodhi kodhi (RCE) uye muchinjikwa-saiti script (XSS) kukanganisa muKupa, iyo inoshandiswa mumhando dzakasiyana siyana dzekushandisa dzakavakwa papuratifomu uye dzinogona kubvumidza kodhi yeJavaScript kuitiswa mune mamiriro evamwe vashandisi. Nzvimbo dzakabatwa idzi mamwe emahara emahara software software catalogs senge chitoro.kde.org, appimagehub.com, gnome-look.org, xfce-look.org, pling.com pakati pevamwe.
Positive Security, iyo yakawana maburi, yakati kuti zvipukanana zvichiripo muPring kodhi uye kuti vanochengeta havana kupindura kumishumo yekushupika.
Pakutanga gore rino, isu takatarisa mashandisiro anoita desktop maapplication anobata mushandisi-anopihwa URIs uye takawana kodhi yekuita kusagadzikana mune akati wandei avo. Imwe yemapurogiramu andakaongorora yaive KDE Tsvaga App Chitoro, iyo yakazobata URI isina kuvimbwa nenzira isina kuchengeteka (CVE-2021-28117, KDE Security Advisory).
Ndiri munzira, ini ndakakurumidza kuwana kukanganisika kwakanyanya mune mamwe emahara software misika.
XSS inonetsekana ine mukana wekurwiswa kwecheni mumisika yePring-based uye kutyaira-neRCE kunokanganisa vashandisi vekushandisa kwePringStore kunogona kushandiswa.
Kuisa kunozviratidza pachako semusika wevagadziri kuti vaise madingindira uye mifananidzo Linux desktop, pakati pezvimwe zvinhu, uchitarisira kuwana imwe purofiti kubva kuvatsigiri. Inouya muzvikamu zviviri: iyo kodhi inodikanwa kumhanyisa yavo yega bling bazaar uye yeElectron-based application iyo vashandisi vanogona kumisikidza kubata kwavo madingindira kubva kuPring souk. Iyo webhu kodhi ine iyo XSS uye mutengi ane iyo XSS uye neRCE. Kuisa masimba masayiti akati wandei, kubva pling.com uye chitoro.kde.org kune gnome-look.org uye xfce-look.org.
Musimboti wedambudziko ndiyo chikuva Kuisa kunotendera kuwedzerwa kwemultimedia matombo muHTML fomati, semuenzaniso, kuisa vhidhiyo yeYouTube kana mufananidzo. Iyo kodhi yakawedzerwa kuburikidza nefomu haina kusimbiswa nemazvo, chii inokutendera iwe kuwedzera yakaipa kodhi pasi pechirevo chemufananidzo uye isa ruzivo mudhairekitori iyo iyo JavaScript kodhi ichaita kana ichionekwa. Kana iwo ruzivo rikavhurwa kune vashandisi vane account, saka zvinokwanisika kutanga zviito mudhairekitori pachinzvimbo chemushandisi uyu, kusanganisira kuwedzera JavaScript kufona kumapeji avo, kushandisa mhando ye network worm.
Mukuwedzera, kunetsekana kwakazivikanwa mukushandisa kwePringStore, yakanyorwa uchishandisa iyo Electron chikuva uye ichikubvumidza iwe kufamba kuburikidza neOverDesktop madhairekitori pasina browser uye nekuisa mapakeji akaunzwa ipapo. Kunetsekana muPringStore kunotendera kodhi yayo kumhanya pane yemushandisi sisitimu.
Kana iyo PlingStore application irikumhanya, iyo ocs-maneja maitiro ari kuwedzerwa kutanga, kubvuma kubatana kwemuno kuburikidza neWebSocket uye kuita mirairo senge kurodha uye kuvhura mafomu muAppImage fomati. Iyo mirairo inofanirwa kuendeswa neiyo PlingStore application, asi zvirizvo, nekuda kwekushayikwa kwechokwadi, chikumbiro chinogona kutumirwa kune ocs-maneja kubva kune mushandisi browser. Kana mushandisi akavhura saiti yakaipa, vanogona kutanga kubatana neacs-maneja uye kuti kodhi irambe pane yemushandisi system.
Kushushikana kweXSS kunonzi zvakare mune extensions.gnome.org dhairekitori; Mumunda ne URL yeiyo peji reji repamba, unogona kudoma kodhi yeJavaScript mune fomati "javascript: kodhi" uye kana iwe ukabaya chinongedzo, JavaScript yakatarwa ichavhurwa pane kuvhura saiti yeprojekiti.
Kune rimwe divi, dambudziko rakanyanya kufungidzira, sezvo nzvimbo iri mu extensions.gnome.org dhairekitori iri kuitiswa uye kurwisa kwacho hakudi kungovhura chete imwe peji, asiwo kubaya kuri pachena pane iyi link. Kune rimwe divi, panguva yekusimbisa, mutongi angangoda kuenda kunzvimbo yeprojekti, osafuratira fomu yekubatanidza, uye omhanyisa JavaScript kodhi mune mamiriro eakaunzi yavo.
Chekupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kubvunza ruzivo mune inotevera chinongedzo.