WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13

Slide 1

Slide 1 text

WordPress ͱηΩϡϦ ςΟʹ͍͔ͭͯΜ͕͑Δ Toro_Unit @Shinshu WP Meetup vol.12 1

Slide 2

Slide 2 text

$ whoami 2

Slide 3

Slide 3 text

Toro_Unit ઎෦ ߛ (͏Β΂ ͻΖ͠) • Frontend Engineer • WordPress Plugin and Theme Developer Github: @torounit Twitter: @Toro_Unit 3

Slide 4

Slide 4 text

ʮηΩϡϦςΟʯʹ͍ͭͯߟ͑Α͏ͱ͍͏͜ͱͰ 4

Slide 5

Slide 5 text

ͳΜ͔ͯ͠·͢ʁηΩϡϦςΟରࡦ 5

Slide 6

Slide 6 text

࠷௿ݶ • WordPress ͷ࠷৽൛Λ࢖͏ɻ • ࣗಈߋ৽͕ಈ࡞͢ΔΑ͏ʹɻ • ࠷৽൛ͷςʔϚͱϓϥάΠϯΛ࢖͏ɻ 6

Slide 7

Slide 7 text

WordPress ͷ΁ͷ߈ܸ͋Ε͜Ε Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़৘ใ | ιϑτ΢ΣΞWAFͷJP-Secure 7

Slide 8

Slide 8 text

• ຊମ΁ͷ߈ܸͱ͍͏ͷ͸࣮͸গͳ͍ɻ • ϓϥάΠϯɾςʔϚ΁ͷ߈ܸ͕6ׂ௒ɻ 8

Slide 9

Slide 9 text

/wp-content/themes/urbancity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/trinity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php /wp-content/themes/lote27/download.php?download=../../../wp-config.php /wp-content/themes/authentic/includes/download.php? file=../../../../wp-config.php /wp-content/plugins/membership-simplified-for-oap-members-only/ download.php?download_file=.././.././.././wp-config.php /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php? download_file=../../../wp-config.php Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़৘ใ | ιϑτ΢ΣΞWAFͷJP- Secure 9

Slide 10

Slide 10 text

ެࣜϨϙδτϦͷϓϥάΠϯͰ΋੬ऑੑͷใࠂ͕࠷ۙ͋Γ·͠ ͨɻ ใࠂ೔ ର৅ͷϓϥάΠϯ Πϯετʔϧ਺ όʔδϣϯ ੬ऑੑ 2019/03/15 Easy WP SMTP 40ສ݅௒ 1.3.9Ҏલ ؅ཧऀ΁ͷಛݖঢ֨ 2019/03/21 Social Warfare 6ສ݅௒ 3.5.2Ҏલ XSSʢ֨ೲܕʣɺ೚ ҙίʔυͷ࣮ߦ 2019/03/30 Yuzo Related Posts 6ສ݅௒ 5.12.91Ҏલ XSSʢ֨ೲܕʣ 2019/04/09 Visual CSS Style Editor 3ສ݅௒ 7.1.9Ҏલ ؅ཧऀ΁ͷಛݖঢ֨ WordPressϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ - piyolog 10

Slide 11

Slide 11 text

Πϯετʔϧ਺͕ଟ͍ != ҆શ • ͻͱͭͷج४ʹ͸ҧ͍ͳ͍͚Ͳɺ҆શੑɾ඼࣭Λอূ͢Δج ४Ͱ͸ͳ͍ɻ 11

Slide 12

Slide 12 text

ϓϥάΠϯ 10 બʂΈ͍ͨͳهࣄΛӏವΈʹ͠ͳ͍ɻ 12

Slide 13

Slide 13 text

• ඞਢϓϥάΠϯͳͲͳ͍ʂ • ඞਢϓϥάΠϯͳΜͯॻ͍ͯΔਓͷ৘ใ͸౰ͯʹͳΒΜɻ 13

Slide 14

Slide 14 text

ςʔϚͷબͼํ 14

Slide 15

Slide 15 text

• αϙʔτ͸େৎ෉ʁ • ༗ྉ != ඼࣭ɻ඼࣭ʹ΋͍Ζ͍Ζ͋Δɻ 15

Slide 16

Slide 16 text

• ςʔϚʹಉࠝ͞Ε͍ͯΔϑΥʔϜϓϥάΠϯ͕Ξοϓσʔτ ͞Εͣɺ߈ܸ͞ΕΔͱ͍͏ࣄྫɻ • ༗ྉςʔϚʹ߈ܸίʔυ͕ࠞೖ͍ͯͨ͠έʔε΋ɻ 16

Slide 17

Slide 17 text

ͱΓ͋͑ͣɺWordPress.org ܝࡌͷςʔϚʹ͓ͯ͘͠ͷ͕ແ೉ɻ • ͜͜ʹܝࡌ͢Δʹ͸ɺςʔϚͷϨϏϡʔΛ௨ա͢Δඞཁ͋Γɻ࠷௿ݶͷ඼࣭ ʢ҆શੑɾ૬ޓӡ༻ੑʣ͸୲อ͞Ε͍ͯΔ • Ծʹ༗ྉςʔϚΛങ͏ͳΒɺhttps://ja.wordpress.org/themes/commercial/ ʹܝࡌ͞Ε͍ͯΔϞϊɺແྉ൛ͳͲΛɺWP.org ʹܝࡌ͍ͯ͠Δ࡞ऀͷϞϊ Λ͓͢͢Ί͠·͢ɻ • Snow Monkey • Lightling • LIQUID PRESS • etc... 17

Slide 18

Slide 18 text

GPL • ແอূ • ࣗ༝ͳෳ੡ɾվมɾ൦෍͕ڐՄ • ίϐʔϨϑτ 18

Slide 19

Slide 19 text

݁ہͷॴɺ࡞ऀͱͷ͓෇͖߹͍ • ΋͘͠͸શͯࣗ࡞ɻ(ϋʔυϞʔυ) • ʮܧଓ͓ͯ͠෇͖߹͍͍͚ͯ͠Δ͔Ͳ͏͔ʁʯʮܧଓͨ͠α ϙʔτʯ͸ྑ͍બఆج४ɻ 19

Slide 20

Slide 20 text

• https://wptavern.com/pluginvulnerabilities-com-is- protesting-wordpress-org-support-forum-moderators-by- publishing-zero-day-vulnerabilities • https://www.jp-secure.com/tech/jpsecure-labs/report03/ • https://piyolog.hatenadiary.jp/entry/2019/04/17/183000 • https://capitalp.jp/2017/01/18/sucuri-2016q3/ • https://blog.tokumaru.org/2019/04/Wordpress-Visual-CSS- Style-Editor-privilege-escalation.html?spref=tw 20

Slide 21

Slide 21 text

Thanks! Github: @torounit Twitter: @Toro_Unit Facebook: fb.me/torounit Blog: https://torounit.com 21