Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05...
Search
Toro_Unit (Hiroshi Urabe)
May 25, 2019
Technology
1
85
WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13
Shinshu WordPress Meetup vol.13 登壇資料です。
Toro_Unit (Hiroshi Urabe)
May 25, 2019
Tweet
Share
More Decks by Toro_Unit (Hiroshi Urabe)
See All by Toro_Unit (Hiroshi Urabe)
ブロックテーマでサイトリニューアルした話 / Toro_Unit / 2025.04.12 @ Shinshu WordPress Meetup
torounit
0
150
Cloudflare Meetup Nagano Vol.3
torounit
1
67
僕が考える 「HTML サイトを WordPress にする」話 / 2023-11-05 Kansai WordPress Meetup
torounit
9
7.6k
Cloudflare Pages に入門してみた / 2023-10-14 Cloudflare Meetup Nagano Vol.2
torounit
2
1.7k
ブロックエディタをゴリゴリに使い倒してサイトを作った話 / Kansai WordPress Meetup 2023 09 23
torounit
14
10k
ブロックエディターカスタマイズことはじめ #wpshinshu / 2023-06-17 Shinshu WordPress Meetup vol.24
torounit
1
390
FSE時代におけるWEBサイト制作の研究 #wpshinshu / 2023-05-20 Shinshu WordPress Meetup vol.23
torounit
0
430
ブロックエディターを用いたWEBサイト開発とカスタムフィールドのあり方を考える。/ WordCamp Japan 2021
torounit
0
560
ブロックエディターで変わる、WordPress でのウェブサイト開発 / SaCSS Special 26
torounit
4
870
Other Decks in Technology
See All in Technology
[2025年4月版] Databricks Academy ラボ環境 利用開始手順 / Databricks Academy Labs Onboarding
databricksjapan
0
140
4/17/25 - CIJUG - Java Meets AI: Build LLM-Powered Apps with LangChain4j (part 2)
edeandrea
PRO
0
110
Ops-JAWS_Organizations小ネタ3選.pdf
chunkof
2
170
React ABC Questions
hirotomoyamada
0
150
システムとの会話から生まれる先手のDevOps
kakehashi
PRO
0
280
SREからゼロイチプロダクト開発へ ー越境する打席の立ち方と期待への応え方ー / Product Engineering Night #8
itkq
2
750
watsonx.data上のベクトル・データベース Milvusを見てみよう/20250418-milvus-dojo
mayumihirano
0
110
DuckDB MCPサーバーを使ってAWSコストを分析させてみた / AWS cost analysis with DuckDB MCP server
masahirokawahara
0
1.3k
クォータ監視、AWS Organizations環境でも楽勝です✌️
iwamot
PRO
1
310
技術者はかっこいいものだ!!~キルラキルから学んだエンジニアの生き方~
masakiokuda
2
260
ここはMCPの夜明けまえ
nwiizo
11
5.2k
クラウド開発環境Cloud Workstationsの紹介
yunosukey
0
170
Featured
See All Featured
Into the Great Unknown - MozCon
thekraken
37
1.7k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
41
2.2k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
660
GitHub's CSS Performance
jonrohan
1030
460k
How GitHub (no longer) Works
holman
314
140k
Agile that works and the tools we love
rasmusluckow
328
21k
Mobile First: as difficult as doing things right
swwweet
223
9.6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Optimizing for Happiness
mojombo
377
70k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
390
Site-Speed That Sticks
csswizardry
5
490
Transcript
WordPress ͱηΩϡϦ ςΟʹ͍͔ͭͯΜ͕͑Δ Toro_Unit @Shinshu WP Meetup vol.12 1
$ whoami 2
Toro_Unit ෦ ߛ (͏Β ͻΖ͠) • Frontend Engineer • WordPress
Plugin and Theme Developer Github: @torounit Twitter: @Toro_Unit 3
ʮηΩϡϦςΟʯʹ͍ͭͯߟ͑Α͏ͱ͍͏͜ͱͰ 4
ͳΜ͔ͯ͠·͢ʁηΩϡϦςΟରࡦ 5
࠷ݶ • WordPress ͷ࠷৽൛Λ͏ɻ • ࣗಈߋ৽͕ಈ࡞͢ΔΑ͏ʹɻ • ࠷৽൛ͷςʔϚͱϓϥάΠϯΛ͏ɻ 6
WordPress ͷͷ߈ܸ͋Ε͜Ε Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़ใ | ιϑτΣΞWAFͷJP-Secure
7
• ຊମͷ߈ܸͱ͍͏ͷ࣮গͳ͍ɻ • ϓϥάΠϯɾςʔϚͷ߈ܸ͕6ׂɻ 8
/wp-content/themes/urbancity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/trinity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php /wp-content/themes/lote27/download.php?download=../../../wp-config.php /wp-content/themes/authentic/includes/download.php? file=../../../../wp-config.php /wp-content/plugins/membership-simplified-for-oap-members-only/
download.php?download_file=.././.././.././wp-config.php /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php? download_file=../../../wp-config.php Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़ใ | ιϑτΣΞWAFͷJP- Secure 9
ެࣜϨϙδτϦͷϓϥάΠϯͰ੬ऑੑͷใࠂ͕࠷ۙ͋Γ·͠ ͨɻ ใࠂ ରͷϓϥάΠϯ Πϯετʔϧ όʔδϣϯ ੬ऑੑ 2019/03/15 Easy WP
SMTP 40ສ݅ 1.3.9Ҏલ ཧऀͷಛݖঢ֨ 2019/03/21 Social Warfare 6ສ݅ 3.5.2Ҏલ XSSʢ֨ೲܕʣɺ ҙίʔυͷ࣮ߦ 2019/03/30 Yuzo Related Posts 6ສ݅ 5.12.91Ҏલ XSSʢ֨ೲܕʣ 2019/04/09 Visual CSS Style Editor 3ສ݅ 7.1.9Ҏલ ཧऀͷಛݖঢ֨ WordPressϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ - piyolog 10
Πϯετʔϧ͕ଟ͍ != ҆શ • ͻͱͭͷج४ʹҧ͍ͳ͍͚Ͳɺ҆શੑɾ࣭Λอূ͢Δج ४Ͱͳ͍ɻ 11
ϓϥάΠϯ 10 બʂΈ͍ͨͳهࣄΛӏವΈʹ͠ͳ͍ɻ 12
• ඞਢϓϥάΠϯͳͲͳ͍ʂ • ඞਢϓϥάΠϯͳΜͯॻ͍ͯΔਓͷใͯʹͳΒΜɻ 13
ςʔϚͷબͼํ 14
• αϙʔτେৎʁ • ༗ྉ != ࣭ɻ࣭ʹ͍Ζ͍Ζ͋Δɻ 15
• ςʔϚʹಉࠝ͞Ε͍ͯΔϑΥʔϜϓϥάΠϯ͕Ξοϓσʔτ ͞Εͣɺ߈ܸ͞ΕΔͱ͍͏ࣄྫɻ • ༗ྉςʔϚʹ߈ܸίʔυ͕ࠞೖ͍ͯͨ͠έʔεɻ 16
ͱΓ͋͑ͣɺWordPress.org ܝࡌͷςʔϚʹ͓ͯ͘͠ͷ͕ແɻ • ͜͜ʹܝࡌ͢ΔʹɺςʔϚͷϨϏϡʔΛ௨ա͢Δඞཁ͋Γɻ࠷ݶͷ࣭ ʢ҆શੑɾ૬ޓӡ༻ੑʣ୲อ͞Ε͍ͯΔ • Ծʹ༗ྉςʔϚΛങ͏ͳΒɺhttps://ja.wordpress.org/themes/commercial/ ʹܝࡌ͞Ε͍ͯΔϞϊɺແྉ൛ͳͲΛɺWP.org ʹܝࡌ͍ͯ͠Δ࡞ऀͷϞϊ Λ͓͢͢Ί͠·͢ɻ
• Snow Monkey • Lightling • LIQUID PRESS • etc... 17
GPL • ແอূ • ࣗ༝ͳෳɾվมɾ൦͕ڐՄ • ίϐʔϨϑτ 18
݁ہͷॴɺ࡞ऀͱͷ͓͖߹͍ • ͘͠શͯࣗ࡞ɻ(ϋʔυϞʔυ) • ʮܧଓ͓͖ͯ͠߹͍͍͚ͯ͠Δ͔Ͳ͏͔ʁʯʮܧଓͨ͠α ϙʔτʯྑ͍બఆج४ɻ 19
• https://wptavern.com/pluginvulnerabilities-com-is- protesting-wordpress-org-support-forum-moderators-by- publishing-zero-day-vulnerabilities • https://www.jp-secure.com/tech/jpsecure-labs/report03/ • https://piyolog.hatenadiary.jp/entry/2019/04/17/183000 • https://capitalp.jp/2017/01/18/sucuri-2016q3/
• https://blog.tokumaru.org/2019/04/Wordpress-Visual-CSS- Style-Editor-privilege-escalation.html?spref=tw 20
Thanks! Github: @torounit Twitter: @Toro_Unit Facebook: fb.me/torounit Blog: https://torounit.com 21