Several Linux app stores and Pling store apps can be attacked via cross-site scripts


      Positive Security security researcher Fabian Bräunlein discovered an unpatched cross-site scripting (XSS) vulnerability in Pling-based Linux app stores, which would also affect the native Pling-Store app. The vulnerability could be misused to manipulate lists, i.e. applications available for download, in affected stores and, for example, add malicious code to them. According to the researcher, the Pling Store app can also be used to execute any remote program code (Remote Code Execution, RCE) on Linux systems under certain conditions.

The Pling platform is part of the portal of hive 01 GmbH. It serves as an alternative download source for themes, icons, wallpapers, software and more for Linux. Several well-known app stores, such as the KDE Shop to. Positive Security mentions other examples, and The application based on the Electron framework Pling-Store (also “PlingStore”, formerly OCS-Store), on the other hand, is intended to facilitate the installation and management of Pling content and is advertised for this purpose by the Pling-based app stores.

According to the changelog on, the Pling Store app was last updated about a year ago as a “minor bug fix release”.

(Image: screenshot)

According to a detail Positive-Security-Blogeintrag the vulnerability can be exploited through one of the input fields available to developers when creating and modifying application lists on Pling. The “HTML or Embed media code” field intended to insert HTML content, the content of which is displayed in the description of the respective application, therefore accepts without complaint a JavaScript payload if it is “hidden” behind a previous iFrame. Since the entries over the software listings at Pling are permanently stored on the server, such a payload would be executed whenever the listing is called using a browser or the Pling store app. (XSS stored).

The top field allows you to add (malicious) JavaScript code.

(Bild: Positive security)

Bräunlein points out in the blog post that the XSS divide is theoretically “deworming”. An attack scenario in which any developer’s listings could be contaminated with malicious code would in theory look like this: the attacker initially creates their own application entry and “hides” their JavaScript payload, a worm XSS, in the Listing input field already mentioned. . The worm includes code that first allows it to hijack the session of the person calling the list. If that person is a developer, the worm can access their lists in the next step. It then writes its own code in the “HTML or Embed media code” field of third-party listings so that it can distribute itself from there. It could replace the third-party app itself with a nearly identical copy with a built-in backdoor.

In this context, Bräunlein also points out that Pling-based stores would share user accounts and session data. However, he has not released any proof of concept code for the worm scenario.

According to Bräunlein, XSS attacks also work when calling lists prepared from the Pling Store app. In addition, remote code execution is even possible via XSS through the app. The reason is other security vulnerabilities in the application, more precisely: in the component ocs-manager as a local websocket server. According to the researcher, the lack of validation and authentication mechanisms ensures that any website can initiate a connection to the Websocket server from any browser and that ocs-manager accepts all transmitted commands. This way, all AppImage files can be downloaded and run from the prepared and highlighted website without further user interaction, as long as the Pling Store app is running in the background.

Proof of concept code demonstrate this fact; only the installation of a required hard port-forcing mechanism was omitted by Bräunlein. “The WebSocket server (ocs-manager), which is started when PlingStore starts up and accepts commands from any website, looks for a free local port on startup. This is hard-coded into the PoC script (…), but can easily be guessed by programmatic trial and error, ”the researcher explained to heise Security.

According to his own information, Bräunlein has made several attempts since the end of February 2021 to contact the developers of Pling via email, phone and forum posts. So far, however, they have neither responded nor addressed the security flaw in their products. yesterday heise Security also checked with hive 01 GmbH via email yesterday, but has not yet received a response.

Since the XSS and RCE dangers still exist, Bräunlein advises in the blog entry not to use the Pling Store app yet or, at best, to completely remove the vulnerable AppImage from the system. While exploits in the wild have yet to be observed, and publicly available code for a possible XSS worm has yet to emerge, the researcher also advises you to be aware that virtually all app store listings Linux-based Pling hijack logged-in user accounts and hijack malicious code could deliver. It is better to log out temporarily and not to use the stores.

By the way, the Gnome team, the little brunette, was more responsive than the hive 01 XSS vulnerability also described in the blog entry on the Gnome Extensions website ( This was eliminated within 24 hours and has not posed a threat since the end of February.


Disclaimer: This article is generated from the feed and is not edited by our team.


Leave A Reply