Ubuthathaka (CVE-2021-39341) ichongiwe kwi-OptinMonster WordPress add-on, enofakelo olusebenzayo olungaphezulu kwesigidi kwaye isetyenziselwa ukubonisa izaziso ezizivelelayo kunye nokunikezelwa, okukuvumela ukuba ubeke ikhowudi yakho yeJavaScript kwindawo. usebenzisa isongezelelo esikhankanyiweyo. Ubuthathaka bulungiswe ekukhutshweni kwe-2.6.5. Ukuthintela ukufikelela ngokusebenzisa izitshixo ezithathiweyo emva kokufaka uhlaziyo, abaphuhlisi be-OptinMonster barhoxisa zonke izitshixo zokufikelela ze-API ezenziwe ngaphambili kunye nezithintelo ezongezelelweyo ekusebenziseni izitshixo ze-WordPress zokuguqula imikhankaso ye-OptinMonster.
Ingxaki ibangelwe kubukho be-REST-API /wp-json/omapp/v1/support, enokufikelelwa ngaphandle kokuqinisekisa - isicelo senziwe ngaphandle kokuhlolwa okongeziweyo ukuba i-header yoMbhengezo iqulethe umtya βhttps://wp .app.optinmonster.testβ kwaye xa useta uhlobo lwesicelo se-HTTP kwi-"OPTIONS" (ibhalwe ngaphezulu yintloko ye-HTTP "X-HTTP-Method-Override"). Phakathi kwedatha ebuyisiweyo xa ufikelela kwi-REST-API ekuthethwa ngayo, bekukho isitshixo sokufikelela esikuvumela ukuba uthumele izicelo nakweyiphi na i-REST-API abaphathi.
Ukusebenzisa isitshixo esifunyenweyo, umhlaseli unokwenza utshintsho kuzo naziphi na iibhloko ze-pop-up eziboniswe usebenzisa i-OptinMonster, kuquka ukulungelelanisa ukuphunyezwa kwekhowudi yakhe yeJavaScript. Emva kokuba efumene ithuba lokusebenzisa ikhowudi yakhe yeJavaScript kumxholo wesiza, umhlaseli unokuphinda athumele abasebenzisi kwindawo yakhe okanye aququzelele ukutshintshwa kweakhawunti enelungelo kujongano lwewebhu xa umlawuli wesiza esebenzise ikhowudi yeJavaScript efakwe endaweni. Ukufikelela kwi-interface yewebhu, umhlaseli unokufezekisa ukuphunyezwa kwekhowudi yakhe ye-PHP kumncedisi.
umthombo: opennet.ru