Mu nsanja yotseguka yokonzekera malonda a e-commerce , zomwe zimatenga pafupifupi msika wamakina opangira malo ogulitsira pa intaneti, ziwopsezo, kuphatikiza komwe kumakupatsani mwayi wochita chiwembu kuti mupereke nambala yanu pa seva, pezani mphamvu zonse pasitolo yapaintaneti ndikukonzekera kubwezanso zolipirira. Zofooka mu Magento amatulutsa 2.3.2, 2.2.9 ndi 2.1.18, zomwe pamodzi zinakonza nkhani zachitetezo 75.
Nkhani imodzi imalola wogwiritsa ntchito wosavomerezeka kuti akwaniritse kuyika kwa JavaScript (XSS) komwe kungathe kuchitika mukamawona mbiri yogula yomwe yathetsedwa mu mawonekedwe a admin. Zomwe zili pachiwopsezo ndi kuthekera kolambalala ntchito yoyeretsa mawu pogwiritsa ntchito ntchito ya escapeHtmlWithLinks() pokonza chilemba mu fomu yolepheretsera pa sikirini yotuluka (pogwiritsa ntchito tag ya "a href=http://onmouseover=..." zosungidwa mu tag ina). Vutoli limawonekera mukamagwiritsa ntchito gawo la Authorize.Net lomwe limamangidwa, lomwe limagwiritsidwa ntchito kuvomereza kulipira kwa kirediti kadi.
Kuti mukhale ndi mphamvu zonse pogwiritsa ntchito JavaScript code muzochitika zamakono za wogwira ntchito m'sitolo, chiwopsezo chachiwiri chikugwiritsidwa ntchito, chomwe chimakulolani kuyika fayilo ya phar pansi pa chithunzi ( "Phar deserialization"). Fayilo ya Phar ikhoza kukwezedwa kudzera mu mawonekedwe oyika zithunzi mumkonzi wa WYSIWYG womangidwa. Atakwanitsa kutsata nambala yake ya PHP, wowukirayo amatha kusintha tsatanetsatane wamalipiro kapena kusokoneza zambiri zama kirediti kadi yamakasitomala.
Chosangalatsa ndichakuti zambiri zavuto la XSS zidatumizidwa kwa opanga Magento mu Seputembara 2018, pambuyo pake chigamba chinatulutsidwa kumapeto kwa Novembala, chomwe, monga momwe zidakhalira, chimachotsa imodzi mwamilandu yapaderayi ndipo imaponderezedwa mosavuta. M'mwezi wa Januware, zidanenedwanso za kuthekera kotsitsa fayilo ya Phar mwachithunzi cha chithunzi ndikuwonetsa momwe kuphatikiza kwa ziwopsezo ziwiri kungagwiritsire ntchito kusokoneza malo ogulitsira pa intaneti. Kumapeto kwa Marichi ku Magento 2.3.1,
2.2.8 ndi 2.1.17 anakonza vuto ndi mafayilo a Phar, koma anaiwala kukonza kwa XSS, ngakhale kuti tikiti ya nkhaniyo inatsekedwa. M'mwezi wa Epulo, kuyesa kwa XSS kunayambiranso ndipo nkhaniyi idakonzedwa muzotulutsa 2.3.2, 2.2.9, ndi 2.1.18.
Zindikirani kuti zotulutsidwazi zimakonzanso ziwopsezo 75, 16 zomwe zimawerengedwa kuti ndizovuta, ndipo nkhani 20 zitha kupangitsa kupha ma code PHP kapena kusintha SQL. Mavuto ovuta kwambiri amatha kuchitidwa ndi wogwiritsa ntchito wotsimikizika, koma monga tawonera pamwambapa, ntchito zotsimikizika zitha kupezedwa mosavuta pogwiritsa ntchito ziwopsezo za XSS, zomwe khumi ndi awiri zasungidwa pazotulutsa zomwe zadziwika.
Source: opennet.ru