第4回 WordBench三鷹＠ミタカフェ LT 〜WordPressのセキュリティはじめの一歩〜

Transcript

1. ୈ4ճ WordBenchࡾୋˏϛλΧϑΣ LT ʙWordPressͷηΩϡϦςΟ͸͡ΊͷҰาʙ

2. ୈճ
   8PSE#FODIࡾୋˏϛλΧϑΣ
   ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ᜊ໦
   ߂थ IUUQTXXXGBDFCPPLDPNISLTBJLJ

3. ୈճ
   8PSE#FODIࡾୋˏϛλΧϑΣ
   ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ גࣜձࣾNHO IUUQTXXXNHONF

4. ୈճ
   8PSE#FODIࡾୋˏϛλΧϑΣ
   ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࣭໰Ͱ͢ɻ

5. ୈճ
   8PSE#FODIࡾୋˏϛλΧϑΣ
   ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ 8PSE1SFTTͬͯ
   ةݥͬͯݴΘΕ·͚͢Ͳɺ ࣮ࡍͦ͏ࢥ͍·͔͢ʁ

6. ୈճ
   8PSE#FODIࡾୋˏϛλΧϑΣ
   ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ શੈքͷ8FCαΠτͷ͸ 8PSE1SFTTͰͰ͖͍ͯ·͢ɻ

7. ୈճ
   8PSE#FODIࡾୋˏϛλΧϑΣ
   ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͦΜͳʹ࢖ΘΕͯΔͳΒ
   ผʹةݥͯ͜ͱ
   ͳ͘ͳ͍ʁ

8. ୈճ
   8PSE#FODIࡾୋˏϛλΧϑΣ
   ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ Ͱ͢ΑͶ
   ʉʔʉ

9. ୈճ
   8PSE#FODIࡾୋˏϛλΧϑΣ
   ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ΋ͻͱ࣭ͭ໰Ͱ͢ɻ ͦ͜Ͱ

10. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͍·࢖͍ͬͯΔ 8PSE1SFTTͷ
    όʔδϣϯ͸͍ͭ͘ʁ

11. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ Ξοϓσʔτ͠ͳ͍ͷɺ μϝઈରɻ

12. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࠷৽൛͸
     ʢ
    ݱࡏʣ

13. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ  Ұൠతͳιϑτ΢ΣΞͷόʔδϣχϯά ϝδϟʔϦϦʔεόʔδϣϯ ϚΠφʔϦϦʔεόʔδϣϯ ϝϯςφϯεϦϦʔεόʔδϣϯ

14. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ  8PSE1SFTTͷόʔδϣχϯά ϝδϟʔϦϦʔεόʔδϣϯ ϝϯςφϯεηΩϡϦςΟϦϦʔεόʔδϣϯ

15. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ Ұ൪҆શͳόʔδϣϯ͸
    ͍ͭͰ΋࠷৽൛Ͱ͢ɻ

16. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ՄೳͳݶΓ࠷৽൛ͷ 8PSE1SFTTΛ
    ࢖͍·͠ΐ͏ɻ

17. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͪͳΈʹɺ8PSE1SFTT
    
    Ҏ߱͸
    ࣗಈͰηΩϡϦςΟΞοϓσʔτ͕
    ൓ө͞ΕΔ࢓༷ʹͳ͍ͬͯ·͢ɻ

18. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ಛʹ͓࢓ࣄͷ৔߹ɺӡ༻্ͷ໰୊Ͱ͙͢ʹ
    ϝδϟʔόʔδϣϯΞοϓͰ͖ͳ͍έʔε΋
    ͋Δ͔΋͠Ε·ͤΜ͕ɺͦͷ৔߹Ͱ΋
    ηΩϡϦςΟϦϦʔε͸ඞͣ൓өͤ͞·͠ΐ͏ɻ

19. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͞Βʹ࣭໰Ͱ͢ɻ

20. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ύεϫʔυɺ
    Ͳ͏ͯ͠·͢ʁ

21. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࢖͍ճ͠ɺμϝઈରɻ

22. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࠷ॳʹ8PSE1SFTTΛ
    Πϯετʔϧͨ͠ͱ͖ɺ
    ࣗಈͰύεϫʔυ͕
    ೖΓ·͢ΑͶʁ

23. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͜ΕΛ࢖͍·͠ΐ͏ɻ

24. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͖֮͑Εͳ͍ͷͰɺ
    πʔϧͷซ༻͕Φεεϝʂ

25. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ·࣭ͩ໰Ͱ͢ɻ

26. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ αʔόʔɺ
    Ͳ͏ͯ͠·͢ʁ

27. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ Ϩϯλϧαʔόʔ
    ʢɾ㱼ɾʣ

28. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ Ͱ͢ΑͶ
    ʉʔʉ

29. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͪΐͬͱઃఆΛ
    ɹ֬ೝͯ͠Έ·͠ΐ͏ɻ

30. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ʮ8"'ʯ

31. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͳʹͦΕ͓͍͍͠ͷ
    ɾТɾʆ

32. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ IUUQTKBXJLJQFEJBPSHXJLJ8FC@"QQMJDBUJPO@'JSFXBMM 8FC
    "QQMJDBUJPO
    'JSFXBMM Web Application Firewallʢུশ:WAFɺϫϑʣͱ ͸ɺ΢ΣϒΞϓϦέʔγϣϯͷ੬ऑੑΛѱ༻ͨ͠߈ ܸ͔Β΢ΣϒΞϓϦέʔγϣϯΛอޢ͢ΔηΩϡϦ ςΟରࡦͷҰͭ [1]

33. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ 8"'ͷઃఆ0''ɺ
    μϝઈରɻ

34. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ϩϦϙοϓ
    8"'ͷઃఆ ୅දతͳϨϯλϧαʔόʔ֤ࣾͷ8"'ઃఆํ๏ ɾ 9αʔόʔ
    8PSE1SFTTηΩϡϦςΟઃఆ ɾ ͘͞ΒΠϯλʔωοτ
    8FCΞϓϦέʔγϣϯϑΝΠΞ΢Υʔϧ 8"' ͷઃఆ ɾ

    ϑΝʔεταʔόʔ
    8"'
    8&#ΞϓϦέʔγϣϯϑΝΠΞ΢Υʔϧ ɾ ໊͓લDPN
    ίϯτϩʔϧύωϧ
    
    8"'ઃఆ ɾ ϔςϜϧ
    8"'ͷઃఆํ๏ ɾ ͳͲ $1*
    ڞ༻Ϩϯλϧαʔόʔ
    8"'ʢ8FCΞϓϦέʔγϣϯϑΝΠΞ ΢Υʔϧʣ ɾ

35. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ՄೳͳݶΓ
    ࠷৽൛ͷ1)1΋
    ࢖͍·͠ΐ͏ɻ ซͤͯ

36. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ݹ͍όʔδϣϯͷ1)1ɺ μϝઈରɻ

37. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ·ͩ·࣭ͩ໰Ͱ͢ɻ

38. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ޻ΤŚΣŐʢшʆʣŐΣŚΤ޻޻

39. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ϓϥάΠϯɺ
    Ͳ͏બΜͰ·͢ʁ

40. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࢖͍ͬͯΔਓʹ
    ฉ͘ɻ

41. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࢖͍ͬͯΔਓʹ
    ฉ͘ɻ

42. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࢖ͬͯΔਓ͕͍ͳ͍
    ɾТɾʆ

43. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ બͿج४ ໨҆ ͸ʁ

44. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ 
    Ϣʔβʔ਺͕ଟ͍
    

45. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ

46. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ 
    Ϣʔβʔ਺͕ଟ͍
    
    ׆ൃʹϝϯςφϯε͞Ε͍ͯΔ

47. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ

48. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࠷ޙͷ࣭໰Ͱ͢ɻ

49. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ςʔϚɺ
    Ͳ͏ͯ͠·͢ʁ

50. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࢖͍ͬͯΔਓʹ
    ฉ͘ɻ

51. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࢖͍ͬͯΔਓʹ
    ฉ͘ɻ

52. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ࣗ࡞
    ɾТɾʆ

53. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ʮެࣜσΟϨΫτϦʯ

54. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ςʔϚσΟϨΫτϦ

55. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͳͥʮެࣜσΟϨΫτϦʯʁ

56. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ୈࡾऀʹΑΔνΣοΫ͕ೖΔ͜ͱͰ࠷ ௿ݶͷ඼࣭͕อূ͞ΕΔ
    ϑΥʔϥϜΛ௨ͯ͡੬ऑੑ΍όάΛ࡞ ऀʹ௚઀ใࠂͰ͖ɺൺֱతૣ͘मਖ਼͞ ΕΔՄೳੑ͕ߴ͍ ɾ ɾ

57. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ·ͱΊ ɾ·ͣ͸࠷৽൛ͷ8PSE1SFTTͰ
    ɾύεϫʔυ͸೉͘͠
    ɾαʔόʔͷ8"'ઃఆ͸ඞͣ༗ޮԽ
    ɾซͤͯ1)1ͷόʔδϣϯ΋࠷৽ʹ
    ɾϓϥάΠϯ͸Ϣʔβʔ਺ͱߋ৽Λ֬ೝ
    ɾςʔϚ͸ެࣜσΟϨΫτϦͰ

58. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ 4QFDJBM
    5IBOLT ͋ͳͨͷ8PSE1SFTTΛ҆શʹอͭํ๏ ٶ಺ོߦ

59. ୈճ
    8PSE#FODIࡾୋˏϛλΧϑΣ
    ʙ8PSE1SFTTͷηΩϡϦςΟ͸͡ΊͷҰาʙ ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ