An gano mummunar rauni a cibiyar sadarwar abun ciki na cdnjs na Cloudflare, wanda aka ƙera don hanzarta isar da dakunan karatu na JavaScript, yana ba da izinin aiwatar da code na sabani akan sabar CDN. Haɗarin matsalar yana ƙara ta'azzara ganin cewa kusan kashi 12.7% na duk rukunin yanar gizo na amfani da sabis ɗin don saukar da dakunan karatu na JavaScript, da yin sulhu da abubuwan more rayuwa yana ba da damar sauya ɗakunan karatu da kowane ɗayan waɗannan rukunin yanar gizon ya samar.
Sabis na cdnjs yana zazzage fakiti daga Git ko ma'ajiyar NPM, bayan haka yana ba kowane rukunin yanar gizo damar amfani da hanyar sadarwar isar da abun ciki na Cloudflare kyauta don hanzarta loda dakunan karatu na JavaScript. Lokacin nazarin lambar abubuwan abubuwan cdnjs da aka buga akan GitHub, an bayyana cewa don buɗe fakitin NPM a cikin tarihin tgz, ana amfani da daidaitaccen ma'aunin tarihin / tar a cikin harshen Go, wanda ke samar da jerin fayiloli kamar yadda yake, ba tare da daidaita hanyoyin ba. . A cikin yanayin lokacin da rubutun ya buɗe abubuwan da ke ciki dangane da lissafin da aka bayar, kasancewar a cikin ma'ajiyar fayiloli kamar ".././../../.././. kai ga sake rubuta fayilolin sabani a cikin tsarin, gwargwadon haƙƙin samun dama.
An ba da shawarar cewa maharin na iya neman ƙara laburaren karatunsa zuwa cdnjs kuma ya loda wani tsari na musamman wanda ya ƙunshi fayiloli masu haruffan “../” a kan hanyar zuwa wurin ajiyar NPM. A kan sabobin cdnjs, ana yin aikin "autoupdate" lokaci-lokaci, wanda mai kula da shi ke zazzage sabbin nau'ikan laburaren da aka tsara kuma yana buɗe abubuwan da ke ciki. Yin amfani da fayiloli tare da hanyoyi "../", mai hari na iya sake rubuta fayiloli tare da rubutun sabis kuma ya aiwatar da lambar su akan uwar garken da aka yi kwashe kayan.
Game da zazzage sabuntawa daga Git, an gano cewa mai sarrafa abubuwan da ke zazzage sabuntawar bai yi la'akari da hanyoyin haɗin yanar gizo ba lokacin yin kwafin fayiloli daga Git. Wannan fasalin ya ba da damar tsara karatun kowane fayiloli daga uwar garken ta ƙara alamomin alaƙa zuwa Git.
An yanke shawarar fara gwaje-gwaje tare da nunin hacking cdnjs don karɓar kyauta a HackerOne ta hanyar gwada hasashe game da karatun fayil. An ƙara gwajin hanyar haɗin yanar gizo na alama.js zuwa wurin ajiyar Git na ɗakin karatu na JavaScript da aka yi aiki ta CDN, yana nuni zuwa fayil ɗin /proc/self/maps. Bayan buga sabon sigar ɗakin karatu, mai ɗaukan sabuntawa ya sarrafa wannan ma'ajiyar kuma ya buga takamaiman fayil ɗin a cdnjs (an ƙirƙira test.js azaman hanyar haɗi ta alama kuma lokacin da aka nemi wannan fayil ɗin, an dawo da abubuwan da ke cikin /proc/self/maps. ).
Sauya hanyar haɗi ta alama zuwa fayil /proc/self/environ, marubucin binciken ya lura cewa bayanan da aka bayar sun ƙunshi ƙimar masu canjin yanayi GITHUB_REPO_API_KEY da WORKERS_KV_API_TOKEN. Maɓallin farko ya adana maɓallin API don samun dama ga ma'ajiyar robocdnjs akan GitHub. Maɓalli na biyu ya adana alamar zuwa ma'ajiyar KV a cdnjs. Yin amfani da bayanan da aka karɓa, maharin zai iya yin canje-canje zuwa cdnjs kuma ya lalata kayan aikin gaba ɗaya.
source: budenet.ru