Kusagadzikana (CVE-2021-39341) kwaonekwa muOptinMonster WordPress yekuwedzera, iyo ine inodarika miriyoni inoshanda kumisikidzwa uye inoshandiswa kuratidza pop-up zviziviso uye zvinopihwa, zvichikubvumidza iwe kuisa yako JavaScript kodhi pane saiti. uchishandisa iyo yakatsanangurwa yekuwedzera. Kusagadzikana kwakagadziriswa mukuburitswa 2.6.5. Kuvharisa kupinda kuburikidza nemakiyi akatorwa mushure mekuisa iyo update, Vagadziri veOptinMonster vakadzora makiyi ese ekare akaitwa API uye akawedzera zvirambidzo pakushandiswa kweWordPress saiti makiyi kugadzirisa OptinMonster mishandirapamwe.
Dambudziko rakakonzerwa nekuvapo kweREST-API /wp-json/omapp/v1/rutsigiro, iyo yaigona kuwanikwa pasina humbowo - chikumbiro chakaitwa pasina mamwe macheki kana Referer musoro wanga uine tambo "https://wp. .app.optinmonster.testβ uye paunoseta rudzi rwekukumbira rweHTTP kuenda ku"OPTIONS" (yakadzikiswa nemusoro weHTTP "X-HTTP-Method-Override"). Pakati pe data rakadzoswa pakuwana REST-API iri mubvunzo, paive nekiyi yekuwana iyo inokutendera kuti utumire zvikumbiro kune chero REST-API vanobata.
Achishandisa kiyi yakawanikwa, anorwisa anogona kuita shanduko kune chero pop-up blocks anoratidzwa uchishandisa OptinMonster, kusanganisira kuronga kuitiswa kweJavaScript kodhi yake. Awana mukana wekushandisa JavaScript kodhi yake mumamiriro ezvinhu esaiti, anorwisa anogona kuendesa vashandisi kunzvimbo yake kana kuronga kutsiviwa kweakaundi yakasarudzika muwebhu interface kana maneja wesaiti aita iyo yakatsiviwa JavaScript kodhi. Kuwana mukana wewebhu interface, anorwisa anogona kuwana kuurayiwa kwekodhi yake PHP pane server.
Source: opennet.ru