The “SSL handshake failed” error shows up when your browser and the server can’t establish a secure connection. However, if you don’t configure your certificate properly, you may encounter errors such as “SSL handshake failed”. You can generate certificates for free, and many hosting providers will even set them up for you.
Pling store update#
The Daily Swig has also contacted Opendesktop’s maintainers for comment, and will update this story in the event of a reply.īräunlein advises users not to run the PlingStore Electron application – or, even better, remove the AppImage file – unless and until the RCE is fixed.Īnd, with any listing on the affected stores capable of hijacking accounts on the platform via XSS, potentially compromising any downloadable assets, users of the affected websites are best advised to log out of their accounts and stay away from the domains unless the issues are remediated.ĭON’T FORGET TO READ CSP bypass: How one Chrome XSS bug took 2.Setting up a Secure Sockets Layer (SSL) certificate for your website has never been easier. On 18 June, having received no response, he warned the project maintainers through several of these lines of contact that he was about to go public, finally doing so on 22 June. He first reported the issue via an email sent to Opendesktop on February 24, and followed up repeatedly with further emails, a phone call, a forum post (now locked), and via Pling’s chat service. The disclosure process did not run smoothly – indeed, Bräunlein describes it as “surprising and disappointing”.
Pling store install#
“As this component is also used to install applications, some of the commands allow downloading and executing binary files.” Timeline There is no check whether the commands actually come from the Electron app, so any website can send such commands by initiating a WebSocket connection,” he says. “During the start, the PlingStore Electron app also launches a component which listens on a local socket for commands. Meanwhile, Bräunlein found, the native PlingStore application is affected by an RCE vulnerability that can be triggered from any website while the app is running in the background. “The stored XSS is triggered simply when someone visits the listing – no user interaction is required.” RCE exploit Bypassing any protection or filtering was trivial,” Bräunlein tells The Daily Swig.
Pling store software#
This, he says, would allow for a supply chain attack whereby a JavaScript payload uploads a backdoored, software version that changes the metadata of the victim’s listings to include the malicious payload. Read more of the latest Linux security news and analysis The field, he says, “looked like XSS by design”.Īdding an iframe and then a malicious JavaScript payload in a separate line created a stored XSS “that could be used to modify active listings, or post new listings on the Pling store in the context of other users, resulting in a wormable XSS”. Recounting how he discovered the flaws, Fabian Bräunlein, security researcher and managing director at Positive Security, says that while testing the KDE Discover app store’s Uniform Resource Identifier (URI) handling, he stumbled across a field allowing users to embed media in a listing. Pling-Store is an installer and content management app for OCS-compatible websites that allows the installation of desktop and icon themes, wallpapers, and mouse cursors within desktop environments such as KDE Plasma, Gnome, and XFCE. Having failed to elicit a response from the project maintainers, security researcher from Berlin-based infosec firm Positive Security disclosed the flaws in a bid to warn users of the threat.Īffected Pling-based app stores include, ,, , and.
Pling store code#
Security researcher warns against running PlingStore Electron or visiting affected websitesĪ pair of serious zero-day vulnerabilities in Opendesktop’s Pling could result in drive-by remote code execution (RCE) and supply chain attacks against Linux marketplaces based on the platform.
0 kommentar(er)
