A cikin buɗaɗɗen dandamali don tsara kasuwancin e-commerce , wanda ke daukan game da kasuwar tsarin don ƙirƙirar shagunan kan layi, raunin da ya faru, haɗuwa da abin da ke ba ku damar kai hari don aiwatar da lambar ku a kan uwar garke, samun cikakken iko akan kantin sayar da kan layi da kuma tsara juyawa na biyan kuɗi. Rashin lahani a cikin Magento ya fito da 2.3.2, 2.2.9 da 2.1.18, waɗanda tare suka daidaita batutuwan tsaro 75.
Fito ɗaya yana ba mai amfani da ba shi da inganci damar cimma jeri na JavaScript (XSS) wanda za a iya aiwatar da shi lokacin duba tarihin siyan da aka soke a cikin mahallin gudanarwa. Asalin raunin shine ikon ketare aikin tsaftace rubutu ta amfani da aikin tserewaHtmlWithLinks() lokacin sarrafa bayanin kula a cikin fom ɗin sokewa akan allon wurin biya (ta amfani da alamar "a href=http://onmouseover=..." tag. a cikin wani tag). Matsalar tana bayyana kanta lokacin amfani da ginannen tsarin Authorize.Net, wanda ake amfani da shi don karɓar biyan kuɗin katin kiredit.
Don samun cikakken iko ta amfani da lambar JavaScript a cikin mahallin zaman na yanzu na ma'aikacin kantin, ana amfani da rauni na biyu, wanda ke ba ku damar loda fayil ɗin phar a ƙarƙashin hoton hoto ( "Phar deserialization"). Ana iya loda fayil ɗin Phar ta hanyar shigar da hoto a cikin ginannen editan WYSIWYG. Bayan samun nasarar aiwatar da lambar PHP ɗin sa, maharin zai iya canza bayanan biyan kuɗi ko kuma ya saci bayanan katin kiredit na abokin ciniki.
Abin sha'awa, an aika bayanai game da matsalar XSS zuwa ga masu haɓaka Magento a watan Satumba na 2018, bayan haka an fitar da faci a ƙarshen Nuwamba, wanda, kamar yadda ya bayyana, ya kawar da ɗayan lokuta na musamman kuma yana da sauƙin kewayawa. A cikin watan Janairu, an kuma ba da rahoton yiwuwar zazzage fayil ɗin Phar a ƙarƙashin hoton hoto kuma ya nuna yadda za a iya amfani da haɗewar lahani guda biyu don daidaita shagunan kan layi. A ƙarshen Maris a Magento 2.3.1,
2.2.8 da 2.1.17 sun gyara matsalar tare da fayilolin Phar, amma sun manta da gyaran XSS, kodayake an rufe tikitin fitowar. A cikin Afrilu, XSS ta sake komawa kuma an daidaita batun a cikin sakin 2.3.2, 2.2.9, da 2.1.18.
Ya kamata a lura cewa waɗannan fitowar kuma suna gyara lahani 75, 16 daga cikinsu an ƙididdige su da mahimmanci, kuma batutuwa 20 na iya haifar da aiwatar da lambar PHP ko maye gurbin SQL. Mafi mahimmancin matsalolin mai amfani ne kawai zai iya aikatawa, amma kamar yadda aka nuna a sama, ana iya samun ingantattun ayyuka cikin sauƙi ta amfani da raunin XSS, wanda aka lissafta dozin da yawa a cikin fitattun fitattun.
source: budenet.ru