Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13

WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13

Shinshu WordPress Meetup vol.13 登壇資料です。

More Decks by Toro_Unit (Hiroshi Urabe)

Other Decks in Technology

Transcript

  1. WordPress ͱηΩϡϦ
    ςΟʹ͍͔ͭͯΜ͕͑Δ
    Toro_Unit @Shinshu WP Meetup
    vol.12
    1

    View Slide

  2. $ whoami
    2

    View Slide

  3. Toro_Unit
    ઎෦ ߛ (͏Β΂ ͻΖ͠)
    • Frontend Engineer
    • WordPress Plugin and Theme
    Developer
    Github: @torounit
    Twitter: @Toro_Unit
    3

    View Slide

  4. ʮηΩϡϦςΟʯʹ͍ͭͯߟ͑Α͏ͱ͍͏͜ͱͰ
    4

    View Slide

  5. ͳΜ͔ͯ͠·͢ʁηΩϡϦςΟରࡦ
    5

    View Slide

  6. ࠷௿ݶ
    • WordPress ͷ࠷৽൛Λ࢖͏ɻ
    • ࣗಈߋ৽͕ಈ࡞͢ΔΑ͏ʹɻ
    • ࠷৽൛ͷςʔϚͱϓϥάΠϯΛ࢖͏ɻ
    6

    View Slide

  7. WordPress ͷ΁ͷ߈ܸ͋Ε͜Ε
    Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़৘ใ | ιϑτ΢ΣΞWAFͷJP-Secure
    7

    View Slide

  8. • ຊମ΁ͷ߈ܸͱ͍͏ͷ͸࣮͸গͳ͍ɻ
    • ϓϥάΠϯɾςʔϚ΁ͷ߈ܸ͕6ׂ௒ɻ
    8

    View Slide

  9. /wp-content/themes/urbancity/lib/scripts/
    download.php?file=../../../../../wp-config.php
    /wp-content/themes/trinity/lib/scripts/
    download.php?file=../../../../../wp-config.php
    /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
    /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
    /wp-content/themes/lote27/download.php?download=../../../wp-config.php
    /wp-content/themes/authentic/includes/download.php?
    file=../../../../wp-config.php
    /wp-content/plugins/membership-simplified-for-oap-members-only/
    download.php?download_file=.././.././.././wp-config.php
    /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?
    download_file=../../../wp-config.php
    Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़৘ใ | ιϑτ΢ΣΞWAFͷJP-
    Secure
    9

    View Slide

  10. ެࣜϨϙδτϦͷϓϥάΠϯͰ΋੬ऑੑͷใࠂ͕࠷ۙ͋Γ·͠
    ͨɻ
    ใࠂ೔ ର৅ͷϓϥάΠϯ Πϯετʔϧ਺ όʔδϣϯ ੬ऑੑ
    2019/03/15 Easy WP SMTP 40ສ݅௒ 1.3.9Ҏલ ؅ཧऀ΁ͷಛݖঢ֨
    2019/03/21 Social Warfare 6ສ݅௒ 3.5.2Ҏલ XSSʢ֨ೲܕʣɺ೚
    ҙίʔυͷ࣮ߦ
    2019/03/30 Yuzo Related Posts 6ສ݅௒ 5.12.91Ҏલ XSSʢ֨ೲܕʣ
    2019/04/09 Visual CSS Style
    Editor
    3ສ݅௒ 7.1.9Ҏલ ؅ཧऀ΁ͷಛݖঢ֨
    WordPressϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ - piyolog
    10

    View Slide

  11. Πϯετʔϧ਺͕ଟ͍ != ҆શ
    • ͻͱͭͷج४ʹ͸ҧ͍ͳ͍͚Ͳɺ҆શੑɾ඼࣭Λอূ͢Δج
    ४Ͱ͸ͳ͍ɻ
    11

    View Slide

  12. ϓϥάΠϯ 10 બʂΈ͍ͨͳهࣄΛӏವΈʹ͠ͳ͍ɻ
    12

    View Slide

  13. • ඞਢϓϥάΠϯͳͲͳ͍ʂ
    • ඞਢϓϥάΠϯͳΜͯॻ͍ͯΔਓͷ৘ใ͸౰ͯʹͳΒΜɻ
    13

    View Slide

  14. ςʔϚͷબͼํ
    14

    View Slide

  15. • αϙʔτ͸େৎ෉ʁ
    • ༗ྉ != ඼࣭ɻ඼࣭ʹ΋͍Ζ͍Ζ͋Δɻ
    15

    View Slide

  16. • ςʔϚʹಉࠝ͞Ε͍ͯΔϑΥʔϜϓϥάΠϯ͕Ξοϓσʔτ
    ͞Εͣɺ߈ܸ͞ΕΔͱ͍͏ࣄྫɻ
    • ༗ྉςʔϚʹ߈ܸίʔυ͕ࠞೖ͍ͯͨ͠έʔε΋ɻ
    16

    View Slide

  17. ͱΓ͋͑ͣɺWordPress.org ܝࡌͷςʔϚʹ͓ͯ͘͠ͷ͕ແ೉ɻ
    • ͜͜ʹܝࡌ͢Δʹ͸ɺςʔϚͷϨϏϡʔΛ௨ա͢Δඞཁ͋Γɻ࠷௿ݶͷ඼࣭
    ʢ҆શੑɾ૬ޓӡ༻ੑʣ͸୲อ͞Ε͍ͯΔ
    • Ծʹ༗ྉςʔϚΛങ͏ͳΒɺhttps://ja.wordpress.org/themes/commercial/
    ʹܝࡌ͞Ε͍ͯΔϞϊɺແྉ൛ͳͲΛɺWP.org ʹܝࡌ͍ͯ͠Δ࡞ऀͷϞϊ
    Λ͓͢͢Ί͠·͢ɻ
    • Snow Monkey
    • Lightling
    • LIQUID PRESS
    • etc...
    17

    View Slide

  18. GPL
    • ແอূ
    • ࣗ༝ͳෳ੡ɾվมɾ൦෍͕ڐՄ
    • ίϐʔϨϑτ
    18

    View Slide

  19. ݁ہͷॴɺ࡞ऀͱͷ͓෇͖߹͍
    • ΋͘͠͸શͯࣗ࡞ɻ(ϋʔυϞʔυ)
    • ʮܧଓ͓ͯ͠෇͖߹͍͍͚ͯ͠Δ͔Ͳ͏͔ʁʯʮܧଓͨ͠α
    ϙʔτʯ͸ྑ͍બఆج४ɻ
    19

    View Slide

  20. • https://wptavern.com/pluginvulnerabilities-com-is-
    protesting-wordpress-org-support-forum-moderators-by-
    publishing-zero-day-vulnerabilities
    • https://www.jp-secure.com/tech/jpsecure-labs/report03/
    • https://piyolog.hatenadiary.jp/entry/2019/04/17/183000
    • https://capitalp.jp/2017/01/18/sucuri-2016q3/
    • https://blog.tokumaru.org/2019/04/Wordpress-Visual-CSS-
    Style-Editor-privilege-escalation.html?spref=tw
    20

    View Slide

  21. Thanks!
    Github: @torounit
    Twitter: @Toro_Unit
    Facebook: fb.me/torounit
    Blog: https://torounit.com
    21

    View Slide