Pro Yearly is on sale from $80 to $50! »

WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13

E03953e0c18d776fead147601fdc3899?s=47 Toro_Unit (Hiroshi Urabe)
May 25, 2019
Technology
1
39

WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13

Shinshu WordPress Meetup vol.13 登壇資料です。

E03953e0c18d776fead147601fdc3899?s=128

Toro_Unit (Hiroshi Urabe)

May 25, 2019
Tweet

More Decks by Toro_Unit (Hiroshi Urabe)

See All by Toro_Unit (Hiroshi Urabe)
E03953e0c18d776fead147601fdc3899?s=48 torounit
4
550
E03953e0c18d776fead147601fdc3899?s=48 torounit
11
1.8k
E03953e0c18d776fead147601fdc3899?s=48 torounit
2
1.2k
E03953e0c18d776fead147601fdc3899?s=48 torounit
4
1k
E03953e0c18d776fead147601fdc3899?s=48 torounit
0
140
E03953e0c18d776fead147601fdc3899?s=48 torounit
0
1.3k
E03953e0c18d776fead147601fdc3899?s=48 torounit
0
130
E03953e0c18d776fead147601fdc3899?s=48 torounit
2
170
E03953e0c18d776fead147601fdc3899?s=48 torounit
0
47

Other Decks in Technology

See All in Technology
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
110
5af8e5bd2f24e4ea0cee732c6cc259b3?s=48 haruharuharuby
0
440
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
130
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
130
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
160
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
170
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
140
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
200
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
180
15a426483f69ea0bcd4c74326d4419e6?s=48 roksolanad
0
130
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
440
07ecb4f6c2111bff7ab4f0412edc773d?s=48 songmu
0
470

Featured

See All Featured
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
49
3.3k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
146
19k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
192
8.4k
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
6
610
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1349
190k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
326
15k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
7
480
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
296
39k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
585
200k
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
23
3.7k
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
176
14k
245cee81a9c424266e5e401d844ea881?s=48 lara
590
60k

Transcript

  1. WordPress ͱηΩϡϦ ςΟʹ͍͔ͭͯΜ͕͑Δ Toro_Unit @Shinshu WP Meetup vol.12 1

  2. $ whoami 2

  3. Toro_Unit ઎෦ ߛ (͏Β΂ ͻΖ͠) • Frontend Engineer • WordPress

    Plugin and Theme Developer Github: @torounit Twitter: @Toro_Unit 3

  4. ʮηΩϡϦςΟʯʹ͍ͭͯߟ͑Α͏ͱ͍͏͜ͱͰ 4

  5. ͳΜ͔ͯ͠·͢ʁηΩϡϦςΟରࡦ 5

  6. ࠷௿ݶ • WordPress ͷ࠷৽൛Λ࢖͏ɻ • ࣗಈߋ৽͕ಈ࡞͢ΔΑ͏ʹɻ • ࠷৽൛ͷςʔϚͱϓϥάΠϯΛ࢖͏ɻ 6

  7. WordPress ͷ΁ͷ߈ܸ͋Ε͜Ε Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़৘ใ | ιϑτ΢ΣΞWAFͷJP-Secure

    7

  8. • ຊମ΁ͷ߈ܸͱ͍͏ͷ͸࣮͸গͳ͍ɻ • ϓϥάΠϯɾςʔϚ΁ͷ߈ܸ͕6ׂ௒ɻ 8

  9. /wp-content/themes/urbancity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/trinity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php /wp-content/themes/lote27/download.php?download=../../../wp-config.php /wp-content/themes/authentic/includes/download.php? file=../../../../wp-config.php /wp-content/plugins/membership-simplified-for-oap-members-only/

    download.php?download_file=.././.././.././wp-config.php /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php? download_file=../../../wp-config.php Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़৘ใ | ιϑτ΢ΣΞWAFͷJP- Secure 9

  10. ެࣜϨϙδτϦͷϓϥάΠϯͰ΋੬ऑੑͷใࠂ͕࠷ۙ͋Γ·͠ ͨɻ ใࠂ೔ ର৅ͷϓϥάΠϯ Πϯετʔϧ਺ όʔδϣϯ ੬ऑੑ 2019/03/15 Easy WP

    SMTP 40ສ݅௒ 1.3.9Ҏલ ؅ཧऀ΁ͷಛݖঢ֨ 2019/03/21 Social Warfare 6ສ݅௒ 3.5.2Ҏલ XSSʢ֨ೲܕʣɺ೚ ҙίʔυͷ࣮ߦ 2019/03/30 Yuzo Related Posts 6ສ݅௒ 5.12.91Ҏલ XSSʢ֨ೲܕʣ 2019/04/09 Visual CSS Style Editor 3ສ݅௒ 7.1.9Ҏલ ؅ཧऀ΁ͷಛݖঢ֨ WordPressϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ - piyolog 10

  11. Πϯετʔϧ਺͕ଟ͍ != ҆શ • ͻͱͭͷج४ʹ͸ҧ͍ͳ͍͚Ͳɺ҆શੑɾ඼࣭Λอূ͢Δج ४Ͱ͸ͳ͍ɻ 11

  12. ϓϥάΠϯ 10 બʂΈ͍ͨͳهࣄΛӏವΈʹ͠ͳ͍ɻ 12

  13. • ඞਢϓϥάΠϯͳͲͳ͍ʂ • ඞਢϓϥάΠϯͳΜͯॻ͍ͯΔਓͷ৘ใ͸౰ͯʹͳΒΜɻ 13

  14. ςʔϚͷબͼํ 14

  15. • αϙʔτ͸େৎ෉ʁ • ༗ྉ != ඼࣭ɻ඼࣭ʹ΋͍Ζ͍Ζ͋Δɻ 15

  16. • ςʔϚʹಉࠝ͞Ε͍ͯΔϑΥʔϜϓϥάΠϯ͕Ξοϓσʔτ ͞Εͣɺ߈ܸ͞ΕΔͱ͍͏ࣄྫɻ • ༗ྉςʔϚʹ߈ܸίʔυ͕ࠞೖ͍ͯͨ͠έʔε΋ɻ 16

  17. ͱΓ͋͑ͣɺWordPress.org ܝࡌͷςʔϚʹ͓ͯ͘͠ͷ͕ແ೉ɻ • ͜͜ʹܝࡌ͢Δʹ͸ɺςʔϚͷϨϏϡʔΛ௨ա͢Δඞཁ͋Γɻ࠷௿ݶͷ඼࣭ ʢ҆શੑɾ૬ޓӡ༻ੑʣ͸୲อ͞Ε͍ͯΔ • Ծʹ༗ྉςʔϚΛങ͏ͳΒɺhttps://ja.wordpress.org/themes/commercial/ ʹܝࡌ͞Ε͍ͯΔϞϊɺແྉ൛ͳͲΛɺWP.org ʹܝࡌ͍ͯ͠Δ࡞ऀͷϞϊ Λ͓͢͢Ί͠·͢ɻ

    • Snow Monkey • Lightling • LIQUID PRESS • etc... 17

  18. GPL • ແอূ • ࣗ༝ͳෳ੡ɾվมɾ൦෍͕ڐՄ • ίϐʔϨϑτ 18

  19. ݁ہͷॴɺ࡞ऀͱͷ͓෇͖߹͍ • ΋͘͠͸શͯࣗ࡞ɻ(ϋʔυϞʔυ) • ʮܧଓ͓ͯ͠෇͖߹͍͍͚ͯ͠Δ͔Ͳ͏͔ʁʯʮܧଓͨ͠α ϙʔτʯ͸ྑ͍બఆج४ɻ 19

  20. • https://wptavern.com/pluginvulnerabilities-com-is- protesting-wordpress-org-support-forum-moderators-by- publishing-zero-day-vulnerabilities • https://www.jp-secure.com/tech/jpsecure-labs/report03/ • https://piyolog.hatenadiary.jp/entry/2019/04/17/183000 • https://capitalp.jp/2017/01/18/sucuri-2016q3/

    • https://blog.tokumaru.org/2019/04/Wordpress-Visual-CSS- Style-Editor-privilege-escalation.html?spref=tw 20

  21. Thanks! Github: @torounit Twitter: @Toro_Unit Facebook: fb.me/torounit Blog: https://torounit.com 21