Ukuqalisa okuvela eBerlin iveze ukuba sengozini yokusebenzisa ikhodi ekude (RCE) nephutha le-cross-site script (XSS) ku-Pling, esetshenziswa kumakhathalogi wohlelo lokusebenza ahlukahlukene akhiwe kuleplatifomu futhi angavumela ikhodi yeJavaScript ukuthi yenziwe kumongo wabanye abasebenzisi. Amasayithi athintekile amanye amakhathalogi wesicelo samahhala esoftware okufana nesitolo.kde.org, appimagehub.com, gnome-look.org, xfce-look.org, pling.com phakathi kwabanye.
AbakwaPositive Security, abathole izimbobo, bathe izimbungulu zisekhona kukhodi yePlining nokuthi abazinakekelayo abayiphendulanga imibiko yokuba sengozini.
Ngasekuqaleni konyaka, sibheke ukuthi izinhlelo zokusebenza zedeskithophu ezithandwayo ziphatha kanjani ama-URI anikezwe ngumsebenzisi futhi sathola ubungozi bokwenza ikhodi kwezinye zazo. Olunye lwezinhlelo zokusebenza engizihlolile kwakuyi-KDE Discover App Store, eyavela ukuthi iphathe ama-URI angathembekile ngendlela engavikelekile (i-CVE-2021-28117, i-KDE Security Advisory).
Endleleni, ngithole masinyane ubucayi obuningi kwezinye izimakethe zesoftware yamahhala.
I-XSS enesibindi enamandla okuhlaselwa kokuthengwa kwezimakethe ezimakethe ezisekelwe kuma-Pling kanye ne-drive-by RCE ethinta abasebenzisi bohlelo lokusebenza lwePringStore isengasetshenziswa.
I-Pling iziveza njengemakethe yabasunguli bokulayisha izingqikithi nemidwebo Ideskithophu yeLinux, phakathi kwezinye izinto, ngethemba lokuthola inzuzo ethile kubasekeli. Ifika ezingxenyeni ezimbili: ikhodi edingekayo ukuqhuba i-bling bazaar yabo kanye nohlelo olususelwa ku-Electron abasebenzisi abangalufaka ukuphatha izingqikithi zabo ku-Pling souk. Ikhodi yewebhu ine-XSS futhi iklayenti line-XSS ne-RCE. Ukubeka amandla amasayithi amaningana, kusuka ku-pling.com nase-store.kde.org kuya ku-gnome-look.org naku-xfce-look.org.
Ingqikithi yenkinga ukuthi yesikhulumi Pling ivumela ukwengezwa kwamabhulokhi we-multimedia ngefomethi ye-HTML, isibonelo, ukufaka ividiyo ye-YouTube noma isithombe. Ikhodi engezwe ngefomu ayisebenzi kahle, yini ikuvumela ukuthi ungeze ikhodi enonya ngaphansi kwesithunzi sesithombe bese ufaka imininingwane enkombeni ezokwenziwa ikhodi yeJavaScript lapho ibukwa. Uma imininingwane izovulelwa abasebenzisi abane-akhawunti, khona-ke kungenzeka ukuthi baqale ukwenza izinto enkombeni egameni lomsebenzisi, kufaka phakathi ukufaka ucingo lweJavaScript emakhasini abo, ukusebenzisa uhlobo lwe-worm network.
Futhi, kutholakale ukuba sengozini kuhlelo lokusebenza lwe-PlingStore, ibhaliwe kusetshenziswa ipulatifomu ye-Electron futhi ikuvumela ukuthi uzulazule kwizikhombisi ze-OpenDesktop ngaphandle kwesiphequluli bese ufaka amaphakheji athulwe lapho. Ukuba sengozini ku-PlingStore kuvumela ikhodi yayo ukuthi isebenze ohlelweni lomsebenzisi.
Lapho uhlelo lokusebenza lwe-PlingStore lusebenza, inqubo ye-ocs-manager iqalwa ngokwengeziwe, ukwamukela ukuxhumana kwasendaweni ngeWebSocket nokwenza imiyalo njengokulayisha nokuqalisa izinhlelo ngefomethi ye-AppImage. Imiyalo kufanele idluliswe uhlelo lokusebenza lwe-PlingStore, kepha empeleni, ngenxa yokushoda kokuqinisekiswa, isicelo singathunyelwa kumphathi we-ocs kusuka kusiphequluli somsebenzisi. Uma umsebenzisi evula isayithi elibi, angaqala ukuxhumana nomphathi we-ocs futhi asebenzise ikhodi kusistimu yomsebenzisi.
Ukuba sengozini kwe-XSS kubikwa futhi enkombeni ye extensions.gnome.org; Enkambeni ene-URL yekhasi lasekhaya le-plugin, ungacacisa ikhodi yeJavaScript esefomethi ethi "javascript: code" futhi uma uchofoza isixhumanisi, kuzokwethulwa iJavaScript ebekiwe esikhundleni sokuvula isiza sephrojekthi.
Ngakolunye uhlangothi, inkinga icabangele kakhulu, ngoba indawo kumkhombandlela we extensions.gnome.org uyalinganiselwa futhi ukuhlaselwa akudingi nje ukuvula ikhasi elithile, kepha nokuchofoza okucacile kusixhumanisi. Ngakolunye uhlangothi, ngesikhathi sokuqinisekisa, umongameli angafuna ukuya kusiza sephrojekthi, anganaki ifomu lesixhumanisi, bese esebenzisa ikhodi yeJavaScript kumongo we-akhawunti yakhe.
Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana imininingwane ekulesi sixhumanisi esilandelayo.