Ailagbara to ṣe pataki (CVE-2023-7101) ti ṣe idanimọ ni iwe kika Perl module :: ParseExcel, eyiti o pese awọn iṣẹ fun sisọ awọn faili Excel, eyiti o fun laaye ipaniyan koodu lainidii nigba ṣiṣe awọn faili XLS tabi awọn faili XLSX ti o pẹlu awọn ofin kika nọmba pataki. Ailagbara naa jẹ idi nipasẹ lilo data ti o gba lati inu faili ti n ṣiṣẹ lakoko ṣiṣe ipe “eval”. Iṣoro naa ti wa titi ninu iwe kaakiri :: ParseExcel 0.66 imudojuiwọn. Afọwọkọ kan wa ti ilokulo. Koodu ipalara: ti ( $ format_str = ~ / ^ \ [([<>=] [^ \]] +) \] (.*)$/ ) {$conditional = $1; $format_str = $2; } ... $apakan = eval "$nọmba $conditional"? 0:1; Apeere ti ilokulo fun ṣiṣe pipaṣẹ whoami: 1;system('whoami> /tmp/inject.txt')]123″/ >
Ailagbara naa jẹ idanimọ nipasẹ Awọn nẹtiwọki Barracuda lakoko itupalẹ ikọlu kan lati gbe malware sori awọn ẹrọ Barracuda ESG (Imeeli Aabo Aabo Imeeli). Idi fun ifunmọ ẹrọ naa jẹ ailagbara ọjọ 0 (CVE-2023-7102) ninu iwe kaakiri :: ParseExcel module, ti a lo ninu Barracuda ESG lati sọ awọn asomọ imeeli ni ọna kika Excel. Lati ṣiṣẹ koodu rẹ lori awọn eto nipa lilo Barracuda ESG, o to lati fi imeeli ranṣẹ pẹlu asomọ imeeli ti a ṣe apẹrẹ pataki.
orisun: opennet.ru