Mune yakavhurika chikuva chekuronga e-commerce , izvo zvinotora anenge musika wemasisitimu ekugadzira zvitoro zvepamhepo, kushaya simba, musanganiswa wacho unokubvumira kuti uite kurwisa kuti uite kodhi yako pane sevha, uwane hutongi hwakazara pamusoro pechitoro chepamhepo uye kuronga kudzoserwa kwekubhadhara. Vulnerabilities muMagento inoburitsa 2.3.2, 2.2.9 uye 2.1.18, iyo pamwe chete yakagadzirisa 75 nyaya dzekuchengetedza.
Imwe nyaya inobvumira mushandisi asina kutenderwa kuwana JavaScript (XSS) yekuisa iyo inogona kuitwa kana uchiona yakanzurwa yekutenga nhoroondo mune admin interface. Zvinokosha zvekusagadzikana ndiko kugona kunzvenga basa rekuchenesa mavara uchishandisa escapeHtmlWithLinks() basa paunenge uchigadzira kanoti mufomu yekukanzura pachiratidziro chekubuda (uchishandisa "a href=http://onmouseover=..." tag. nested mune imwe tag). Dambudziko rinozviratidza kana uchishandisa yakavakirwa-mukati Authorize.Net module, iyo inoshandiswa kubvuma kubhadhara kadhi rechikwereti.
Kuti uwane hutongi hwakazara uchishandisa JavaScript kodhi mumamiriro echikamu chezvino chemushandi wechitoro, kusazvibata kwechipiri kunoshandiswa, izvo zvinokutendera kuti utakure faira refa pasi pechifukidzo chemufananidzo ( "Phar deserialization"). Iyo Phar faira inogona kurodha kuburikidza nemufananidzo wekuisa fomu mune yakavakirwa-mukati WYSIWYG mupepeti. Mushure mekunge awana kuurayiwa kwekodhi yake yePP, anorwisa anogona kuchinja mari yekubhadhara kana kubata ruzivo rwekadhi rechikwereti.
Sezvineiwo, ruzivo nezve dambudziko reXSS rakatumirwa kune vanogadzira Magento kumashure munaGunyana 2018, mushure mezvo chigamba chakaburitswa mukupera kwaNovember, izvo, sezvazvakazoitika, zvinobvisa imwe chete yenyaya dzakakosha uye inotenderedzwa nyore. Muna Ndira, yakawedzera kushumwa nezve mukana wekurodha faira reFar pasi pechifananidzo uye yakaratidza kuti musanganiswa wekusagadzikana kuviri kungashandiswa sei kukanganisa zvitoro zvepamhepo. Pakupera kwaKurume muMagento 2.3.1,
2.2.8 uye 2.1.17 yakagadzirisa dambudziko nemafaira eFar, asi akakanganwa kugadzirisa kweXSS, kunyange zvazvo tikiti yenyaya yakavharwa. Muna Kubvumbi, XSS parsing yakatanga zvakare uye nyaya yakagadziriswa mukuburitswa 2.3.2, 2.2.9, uye 2.1.18.
Izvo zvinofanirwa kucherechedzwa kuti kuburitswa uku kunogadzirisawo makumi manomwe neshanu kusasimba, gumi nematanhatu ayo akatemerwa seakakosha, uye makumi maviri nyaya dzinogona kutungamirira kuPHP code execution kana SQL kutsiva. Mazhinji matambudziko akakosha anogona kungoitwa nemushandisi ane chokwadi, asi sezvaratidzwa pamusoro, mashandiro echokwadi anogona kuwanikwa nyore uchishandisa XSS kusagadzikana, uko akati wandei akaiswa zvigamba mune zvakaburitswa zvakaburitswa.
Source: opennet.ru