He whakaraeraetanga tino nui (CVE-2023-7101) kua kitea i roto i te ripanga Perl module Spreadsheet::ParseExcel, e whakarato ana i nga mahi mo te poroporo i nga konae Excel, e taea ai te mahi waehere noa i te wa e tukatuka ana i nga konae XLS, XLSX ranei kei roto nga ture whakahōputu tau kua whakahōputuhia. Ko te whakaraeraetanga ka puta mai i te whakamahinga o nga raraunga i puta mai i te konae kei te tukatuka i te wa e hanga ana i te waea "eval". Kua whakatikahia te raru ki te Ripanga:: ParseExcel 0.66 whakahou. He tauira o te mahi. Waehere whakaraerae: mena ($format_str =~ /^\[([<>=][^\]]+)\](.*)$/ ) { $conditional = $1; $format_str = $2; } ... $section = eval "$numera $conditional" ? 0 : 1; He tauira mo te whakamahi i te tono whoami: 1;system('whoami > /tmp/inject.txt')]123″/ >
I tautuhia te whakaraeraetanga e Barracuda Networks i te wa o te tātaritanga o te whakaeke ki te tuu i te kino ki runga i nga taputapu Barracuda ESG (Email Security Gateway). Ko te take o te whakaraeraetanga o te taputapu ko te whakaraeraetanga 0-ra (CVE-2023-7102) i roto i te ripanga::ParseExcel kōwae, i whakamahia i roto i te Barracuda ESG ki te tarai i nga taapiri imeera ki te whakatakotoranga Excel. Hei whakahaere i to waehere i runga i nga punaha ma te whakamahi i te Barracuda ESG, he nui noa ki te tuku imeera me tetahi taapiri imeera kua hangaia.
Source: opennet.ru