*Needs pling-store or ocs-url to install things Under everything in KDE store, a note is written The KDE Store install things Pling Store or OCS URL. On the other hand, during verification, the moderator may want to go to the project site, ignore the link form, and run the JavaScript code in the context of their account.įinally, if you are interested in knowing more about it, you can consult the details in the following link.Xdg-open is a tool which opens file in the user's preferred application. On one hand, the problem is more speculative, since the location in the directory is being moderated and the attack requires not only opening a certain page, but also an explicit click on the link. If a user opens a malicious site, they can initiate a connection with ocs-manager and have the code run on the user's system.Īn XSS vulnerability is also reported in the directory In the field with the URL of the plugin home page, you can specify a JavaScript code in the format "javascript: code" and when you click the link, the specified JavaScript will be launched instead of opening the project site. The commands are supposed to be transmitted by the PlingStore application, but in fact, due to the lack of authentication, a request can be sent to ocs-manager from the user's browser. When the PlingStore application is running, the ocs-manager process is additionally started, accepting local connections through WebSocket and executing commands like loading and launching applications in the AppImage format. A vulnerability in PlingStore allows its code to run on the user's system. If the information will be opened to users who have an account, then it is possible to initiate actions in the directory on behalf of this user, including adding a JavaScript call to their pages, implementing a kind of network worm.Īlso, a vulnerability has been identified in the PlingStore application, written using the Electron platform and allowing you to navigate through the OpenDesktop directories without a browser and install the packages presented there. The code added through the form is not validated correctly, what allows you to add malicious code under the guise of an image and put information in the directory that the JavaScript code will execute when viewed. The essence of the problem is that the platform Pling allows the addition of multimedia blocks in HTML format, for example, to insert a YouTube video or image. Pling powers several sites, from and to and. The web code has the XSS and the client has the XSS and an RCE. It comes in two parts: the code needed to run their own bling bazaar and an Electron-based application that users can install to manage their themes from a Pling souk. Pling presents itself as a marketplace for creatives to upload themes and graphics Linux desktop, among other things, hoping to get some profit from supporters. One of the apps I checked was the KDE Discover App Store, which turned out to handle untrusted URIs in an insecure way (CVE-2021-28117, KDE Security Advisory).Īlong the way, I quickly found several more serious vulnerabilities in other free software markets.Ī wormed XSS with the potential for supply chain attacks in Pling-based markets and a drive-by RCE affecting PlingStore application users can still be exploited. Positive Security, which found the holes, said that the bugs are still present in the Pling code and that its maintainers have not responded to the vulnerability reports.Įarlier this year, we looked at how popular desktop apps handle user-supplied URIs and found code execution vulnerabilities in several of them. The affected sites are some of the main free software application catalogs such as, ,, , among others. A startup from Berlin has revealed a remote code execution vulnerability (RCE) and a cross-site script (XSS) flaw in Pling, which is used in various application catalogs built on this platform and which could allow JavaScript code to be executed in the context of other users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |