Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13
Toro_Unit (Hiroshi Urabe)
May 25, 2019
Technology
1
54
WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13
Shinshu WordPress Meetup vol.13 登壇資料です。
Toro_Unit (Hiroshi Urabe)
May 25, 2019
Tweet
Share
More Decks by Toro_Unit (Hiroshi Urabe)
See All by Toro_Unit (Hiroshi Urabe)
ブロックエディターを用いたWEBサイト開発とカスタムフィールドのあり方を考える。/ WordCamp Japan 2021
torounit
0
310
ブロックエディターで変わる、WordPress でのウェブサイト開発 / SaCSS Special 26
torounit
4
720
Block Editor カスタマイズ入門 #WPmeetupOsaka / Get started customize for block editor
torounit
11
2.3k
本当にだれにでもできる、WordPress をよりよいものにする方法。/ wordcamp tokyo 2019
torounit
2
1.8k
プラグインとの付き合い方 #WPmeetupkobe / 2019-08-31 Kansai WordPress Meetup Kobe vol.10
torounit
4
1.2k
プラグインとの付き合い方 #wpshinshu / 2019-08-24 Shinshu WordPress Meetup vol.15
torounit
0
150
Nuxt は簡単に SPA 作れるけど、アプリケーションが簡単に作れると思ったら大間違いだった / CaT vol.7
torounit
0
1.8k
令和時代の WordPress テーマ開発・ウェブサイト制作の勘所 #wpshinshu / 2019-07-27 Shinshu WordPress Meetup vol.14
torounit
0
160
WordPress Plugin 入門 #wpshinshu / 2019-06-22 Shinshu WordPress Meetup
torounit
2
180
Other Decks in Technology
See All in Technology
Djangoで組織とユーザーの権限管理をやってみよう #devio2022
seiichi1101
0
360
もうつまらないとは言わせない!「わかりやすい」プレゼンを作るために気をつけたいこと
torisoup
4
1.3k
2022 COSCUP - GKE Backend Cluster 除雷分享
brentchang
0
120
Oracle Database Technology Night #57 Database Services in Oracle Cloud 最新情報アップデートと活用Tips
oracle4engineer
PRO
0
140
DeepDive into Modern Development with AWS
mokocm
1
310
CloudWatchアラームによるサービス継続のための監視入門 / Introduction to Monitoring for Service Continuity with CloudWatch Alarms
inomasosan
1
390
GCCP Creator @ COSCUP 2022
line_developers_tw
PRO
0
1.4k
Trusted Web プロトタイプ
finengine
0
310
Azure DevOps Online Vol.6 - 業務で必要なCIをみんなで考えよう
kkamegawa
0
230
質の良い”カイゼン”の為の質の良い「振り返り」
shirayanagiryuji
0
110
AutoMLを利用した機械学習モデル構築時に意識すること
sbtechnight
0
140
Microsoft Data Analytics trends : ”Lakehouse” , ”Data Mesh"
ryomaru0825
2
100
Featured
See All Featured
BBQ
matthewcrist
74
7.9k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
151
13k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
107
16k
No one is an island. Learnings from fostering a developers community.
thoeni
9
1.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
269
12k
What’s in a name? Adding method to the madness
productmarketing
11
1.6k
Making Projects Easy
brettharned
98
4.4k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Rails Girls Zürich Keynote
gr2m
87
12k
What the flash - Photography Introduction
edds
62
10k
KATA
mclloyd
7
8.8k
Design by the Numbers
sachag
271
17k
Transcript
WordPress ͱηΩϡϦ ςΟʹ͍͔ͭͯΜ͕͑Δ Toro_Unit @Shinshu WP Meetup vol.12 1
$ whoami 2
Toro_Unit ෦ ߛ (͏Β ͻΖ͠) • Frontend Engineer • WordPress
Plugin and Theme Developer Github: @torounit Twitter: @Toro_Unit 3
ʮηΩϡϦςΟʯʹ͍ͭͯߟ͑Α͏ͱ͍͏͜ͱͰ 4
ͳΜ͔ͯ͠·͢ʁηΩϡϦςΟରࡦ 5
࠷ݶ • WordPress ͷ࠷৽൛Λ͏ɻ • ࣗಈߋ৽͕ಈ࡞͢ΔΑ͏ʹɻ • ࠷৽൛ͷςʔϚͱϓϥάΠϯΛ͏ɻ 6
WordPress ͷͷ߈ܸ͋Ε͜Ε Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़ใ | ιϑτΣΞWAFͷJP-Secure
7
• ຊମͷ߈ܸͱ͍͏ͷ࣮গͳ͍ɻ • ϓϥάΠϯɾςʔϚͷ߈ܸ͕6ׂɻ 8
/wp-content/themes/urbancity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/trinity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php /wp-content/themes/lote27/download.php?download=../../../wp-config.php /wp-content/themes/authentic/includes/download.php? file=../../../../wp-config.php /wp-content/plugins/membership-simplified-for-oap-members-only/
download.php?download_file=.././.././.././wp-config.php /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php? download_file=../../../wp-config.php Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़ใ | ιϑτΣΞWAFͷJP- Secure 9
ެࣜϨϙδτϦͷϓϥάΠϯͰ੬ऑੑͷใࠂ͕࠷ۙ͋Γ·͠ ͨɻ ใࠂ ରͷϓϥάΠϯ Πϯετʔϧ όʔδϣϯ ੬ऑੑ 2019/03/15 Easy WP
SMTP 40ສ݅ 1.3.9Ҏલ ཧऀͷಛݖঢ֨ 2019/03/21 Social Warfare 6ສ݅ 3.5.2Ҏલ XSSʢ֨ೲܕʣɺ ҙίʔυͷ࣮ߦ 2019/03/30 Yuzo Related Posts 6ສ݅ 5.12.91Ҏલ XSSʢ֨ೲܕʣ 2019/04/09 Visual CSS Style Editor 3ສ݅ 7.1.9Ҏલ ཧऀͷಛݖঢ֨ WordPressϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ - piyolog 10
Πϯετʔϧ͕ଟ͍ != ҆શ • ͻͱͭͷج४ʹҧ͍ͳ͍͚Ͳɺ҆શੑɾ࣭Λอূ͢Δج ४Ͱͳ͍ɻ 11
ϓϥάΠϯ 10 બʂΈ͍ͨͳهࣄΛӏವΈʹ͠ͳ͍ɻ 12
• ඞਢϓϥάΠϯͳͲͳ͍ʂ • ඞਢϓϥάΠϯͳΜͯॻ͍ͯΔਓͷใͯʹͳΒΜɻ 13
ςʔϚͷબͼํ 14
• αϙʔτେৎʁ • ༗ྉ != ࣭ɻ࣭ʹ͍Ζ͍Ζ͋Δɻ 15
• ςʔϚʹಉࠝ͞Ε͍ͯΔϑΥʔϜϓϥάΠϯ͕Ξοϓσʔτ ͞Εͣɺ߈ܸ͞ΕΔͱ͍͏ࣄྫɻ • ༗ྉςʔϚʹ߈ܸίʔυ͕ࠞೖ͍ͯͨ͠έʔεɻ 16
ͱΓ͋͑ͣɺWordPress.org ܝࡌͷςʔϚʹ͓ͯ͘͠ͷ͕ແɻ • ͜͜ʹܝࡌ͢ΔʹɺςʔϚͷϨϏϡʔΛ௨ա͢Δඞཁ͋Γɻ࠷ݶͷ࣭ ʢ҆શੑɾ૬ޓӡ༻ੑʣ୲อ͞Ε͍ͯΔ • Ծʹ༗ྉςʔϚΛങ͏ͳΒɺhttps://ja.wordpress.org/themes/commercial/ ʹܝࡌ͞Ε͍ͯΔϞϊɺແྉ൛ͳͲΛɺWP.org ʹܝࡌ͍ͯ͠Δ࡞ऀͷϞϊ Λ͓͢͢Ί͠·͢ɻ
• Snow Monkey • Lightling • LIQUID PRESS • etc... 17
GPL • ແอূ • ࣗ༝ͳෳɾվมɾ൦͕ڐՄ • ίϐʔϨϑτ 18
݁ہͷॴɺ࡞ऀͱͷ͓͖߹͍ • ͘͠શͯࣗ࡞ɻ(ϋʔυϞʔυ) • ʮܧଓ͓͖ͯ͠߹͍͍͚ͯ͠Δ͔Ͳ͏͔ʁʯʮܧଓͨ͠α ϙʔτʯྑ͍બఆج४ɻ 19
• https://wptavern.com/pluginvulnerabilities-com-is- protesting-wordpress-org-support-forum-moderators-by- publishing-zero-day-vulnerabilities • https://www.jp-secure.com/tech/jpsecure-labs/report03/ • https://piyolog.hatenadiary.jp/entry/2019/04/17/183000 • https://capitalp.jp/2017/01/18/sucuri-2016q3/
• https://blog.tokumaru.org/2019/04/Wordpress-Visual-CSS- Style-Editor-privilege-escalation.html?spref=tw 20
Thanks! Github: @torounit Twitter: @Toro_Unit Facebook: fb.me/torounit Blog: https://torounit.com 21