{"id":10441,"date":"2025-07-24T12:32:53","date_gmt":"2025-07-24T05:32:53","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10441"},"modified":"2026-02-05T12:33:02","modified_gmt":"2026-02-05T05:33:02","slug":"lo-hong-trong-thu-vien-javascript-co-the-khien-ung-dung-bi-dieu-khien-tu-xa","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/24\/lo-hong-trong-thu-vien-javascript-co-the-khien-ung-dung-bi-dieu-khien-tu-xa\/","title":{"rendered":"L\u1ed7 h\u1ed5ng trong th\u01b0 vi\u1ec7n JavaScript c\u00f3 th\u1ec3 khi\u1ebfn \u1ee9ng d\u1ee5ng b\u1ecb \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa"},"content":{"rendered":"

M\u1ed9t l\u1ed7 h\u1ed5ng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong th\u01b0 vi\u1ec7n form-data tr\u00ean npm. V\u1edbi m\u00e3 \u0111\u1ecbnh danh CVE-2025-7783, l\u1ed7 h\u1ed5ng n\u00e0y \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn h\u00e0ng tri\u1ec7u \u1ee9ng d\u1ee5ng web v\u00e0 API \u0111ang s\u1eed d\u1ee5ng JavaScript\/Node.js tr\u00ean to\u00e0n c\u1ea7u, \u0111\u1eb7c bi\u1ec7t l\u00e0 trong c\u00e1c h\u1ec7 th\u1ed1ng backend, microservices v\u00e0 serverless.<\/b><\/p>\n

\"1753343397127.png\"<\/a>\u200b<\/div>\n

Nguy\u00ean nh\u00e2n g\u1ed1c r\u1ec5 \u0111\u1ebfn t\u1eeb c\u00e1ch sinh chu\u1ed7i “boundary” kh\u00f4ng an to\u00e0n trong file “form_data.js”, d\u00f2ng 347:<\/p>\n

\n
\n
boundary += Math.floor(Math.random() * 10).toString(16);<\/div>\n
Nh\u1ea5n \u0111\u1ec3 m\u1edf r\u1ed9ng…<\/a><\/div>\n<\/div>\n<\/blockquote>\n

\u0110\u00e2y l\u00e0 c\u00e1ch t\u1ea1o ra chu\u1ed7i ph\u00e2n c\u00e1ch (boundary) gi\u1eefa c\u00e1c ph\u1ea7n d\u1eef li\u1ec7u trong bi\u1ec3u m\u1eabu d\u1ea1ng multipart\/form-data. V\u1ea5n \u0111\u1ec1 l\u00e0 Math.random() kh\u00f4ng \u0111\u1ee7 ng\u1eabu nhi\u00ean, n\u00f3 ch\u1ec9 l\u00e0 m\u1ed9t tr\u00ecnh t\u1ea1o s\u1ed1 gi\u1ea3 \u0111\u1ecbnh (PRNG), n\u00ean n\u1ebfu hacker quan s\u00e1t \u0111\u01b0\u1ee3c m\u1ed9t v\u00e0i gi\u00e1 tr\u1ecb \u0111\u01b0\u1ee3c t\u1ea1o ra t\u1eeb Math.random(), h\u1ecd ho\u00e0n to\u00e0n c\u00f3 th\u1ec3 d\u1ef1 \u0111o\u00e1n c\u00e1c gi\u00e1 tr\u1ecb ti\u1ebfp theo, bao g\u1ed3m c\u1ea3 boundary.<\/p>\n

L\u1ed7 h\u1ed5ng ho\u1ea1t \u0111\u1ed9ng nh\u01b0 th\u1ebf n\u00e0o?\u200b<\/h4>\n
    \n
  1. \u1ee8ng d\u1ee5ng d\u00f9ng form-data \u0111\u1ec3 g\u1eedi d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng d\u01b0\u1edbi d\u1ea1ng “multipart\/form-data” (v\u00ed d\u1ee5: \u1ea3nh, bi\u1ec3u m\u1eabu \u0111\u0103ng k\u00fd, t\u1ec7p \u0111\u00ednh k\u00e8m…).<\/li>\n
  2. \u0110\u1ed3ng th\u1eddi, \u1ee9ng d\u1ee5ng v\u00f4 t\u00ecnh \u0111\u1ec3 l\u1ed9 gi\u00e1 tr\u1ecb Math.random() ra ngo\u00e0i, ch\u1eb3ng h\u1ea1n qua header nh\u01b0 “x-request-id”, “trace-id” ho\u1eb7c debug log.<\/li>\n
  3. Hacker quan s\u00e1t nh\u1eefng gi\u00e1 tr\u1ecb \u0111\u00f3, t\u1eeb \u0111\u00f3 t\u00ednh to\u00e1n \u0111\u01b0\u1ee3c tr\u1ea1ng th\u00e1i n\u1ed9i b\u1ed9 c\u1ee7a PRNG.<\/li>\n
  4. H\u1ecd d\u00f9ng n\u00f3 \u0111\u1ec3 d\u1ef1 \u0111o\u00e1n chu\u1ed7i boundary trong c\u00e1c l\u1ea7n g\u1eedi ti\u1ebfp theo.<\/li>\n
  5. Sau \u0111\u00f3, t\u1ea1o ra g\u00f3i tin \u0111\u1ed9c h\u1ea1i ch\u1ee9a boundary ch\u00ednh x\u00e1c, th\u00eam v\u00e0o c\u00e1c tham s\u1ed1 gi\u1ea3 m\u1ea1o, ti\u00eam d\u1eef li\u1ec7u \u0111\u1ed9c h\u1ea1i v\u00e0o h\u1ec7 th\u1ed1ng n\u1ed9i b\u1ed9, th\u1eadm ch\u00ed truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o c\u00e1c API backend.<\/li>\n<\/ol>\n

    M\u1ee9c \u0111\u1ed9 nguy hi\u1ec3m v\u00e0 ph\u1ea1m vi \u1ea3nh h\u01b0\u1edfng\u200b<\/h4>\n