Mozilla Company nezve kuwedzera danho rekubhadhara mibairo yemari yekuona matambudziko ekuchengetedza muFirefox. Pamusoro pekusagadzikana kwakananga, chirongwa cheBug Bounty chave kuzovhara nzira dzekupfuura mubrowser dzinodzivirira kushandiswa kubva kushanda.
Matanho akadaro anosanganisira sisitimu yekuchenesa zvidimbu zveHTML isati yashandiswa mune yakasarudzika mamiriro, kugovera ndangariro yeDOM node uye tambo/ArrayBuffers, kudzima eval () muchimiro chehurongwa uye maitiro evabereki, kushandisa yakasimba CSP (Content Security Policy) kurambidzwa kushanda " nezveβ mapeji :", inorambidza kurodha mapeji kunze kwe "chrome://", "resource://" uye "nezve:" mukuita kwevabereki, kurambidza kuitwa kwekunze kweJavaScript kodhi mukuita kwevabereki, kudarika ropafadzo. nzira dzekuparadzanisa (dzinoshandiswa kugadzira iyo interface browser) uye isina rombo JavaScript kodhi. Muenzaniso wemhosho ingakodzera kubhadharwa kwemubairo mutsva ndeiyi: kutarisa eval() muWebhu Worker tambo.
Nekuona kusagadzikana uye nekupfuura nzira dzekudzivirira dzekushandisa, muongorori achakwanisa kugamuchira imwe 50% yemubairo wekutanga, kune kusazvibata kwakaonekwa (semuenzaniso, kune njodzi yeUXSS inodarika iyo , unogona kuwana $7000 pamwe ne $3500 bhonasi). Zvinokosha kuziva kuti kuwedzera kwechirongwa chemuripo wevaongorori vakazvimiririra kunouya kubva kumashure kwezvino 250 vashandi veMozilla, pasi payo iyo yese Threat manejimendi timu, iyo yaibatanidzwa mukuziva uye kuongorora zviitiko, zvakare Security team.
Pamusoro pezvo, zvinoshumwa kuti mitemo yekushandisa chirongwa chebounty kune kusasimba kunoonekwa mukuvaka kwehusiku kwakachinja. Zvinocherechedzwa kuti kusasimba kwakadaro kunowanzo onekwa nekukasira panguva yemukati otomatiki cheki uye fuzzing kuyedzwa. Mishumo yezvipembenene zvakadaro haitungamiri mukuvandudzwa kweFirefox chengetedzo kana fuzz nzira dzekuyedza, saka mibairo yekusagadzikana mukuvaka kwehusiku inobhadharwa chete kana dambudziko ranga riripo mudura guru kwemazuva anopfuura mana uye risati raonekwa nemukati. cheki uye vashandi veMozilla.
Source: opennet.ru