Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13
Search
Toro_Unit (Hiroshi Urabe)
May 25, 2019
Technology
1
78
WordPress とセキュリティについてかんがえる #wpshinshu / 2019-05-25 Shinshu WordPress Meetup vol.13
Shinshu WordPress Meetup vol.13 登壇資料です。
Toro_Unit (Hiroshi Urabe)
May 25, 2019
Tweet
Share
More Decks by Toro_Unit (Hiroshi Urabe)
See All by Toro_Unit (Hiroshi Urabe)
僕が考える 「HTML サイトを WordPress にする」話 / 2023-11-05 Kansai WordPress Meetup
torounit
9
6.9k
Cloudflare Pages に入門してみた / 2023-10-14 Cloudflare Meetup Nagano Vol.2
torounit
2
1k
ブロックエディタをゴリゴリに使い倒してサイトを作った話 / Kansai WordPress Meetup 2023 09 23
torounit
14
9.1k
ブロックエディターカスタマイズことはじめ #wpshinshu / 2023-06-17 Shinshu WordPress Meetup vol.24
torounit
1
310
FSE時代におけるWEBサイト制作の研究 #wpshinshu / 2023-05-20 Shinshu WordPress Meetup vol.23
torounit
0
390
ブロックエディターを用いたWEBサイト開発とカスタムフィールドのあり方を考える。/ WordCamp Japan 2021
torounit
0
500
ブロックエディターで変わる、WordPress でのウェブサイト開発 / SaCSS Special 26
torounit
4
820
Block Editor カスタマイズ入門 #WPmeetupOsaka / Get started customize for block editor
torounit
12
2.9k
本当にだれにでもできる、WordPress をよりよいものにする方法。/ wordcamp tokyo 2019
torounit
2
2.5k
Other Decks in Technology
See All in Technology
サイボウズ 開発本部採用ピッチ / Cybozu Engineer Recruit
cybozuinsideout
PRO
9
37k
PHP 9 に備えよ - 動的プロパティ、どうすればいぃ?
taisukearase
0
310
The depthes of profiling Ruby - RubyKaigi 2024
osyoyu
0
150
Shinagile 2024
kawaguti
PRO
2
120
テストコードを書きながらCompose Multiplatformを乗りこなす
subroh0508
0
140
パフォーマンス最適化のベストプラクティス
databricksjapan
0
200
Cloudflare WorkersがPythonに対応したので試してみた
miura55
0
190
LLM評価の落とし穴~開発者目線で気をつけるポイント~
rishigami
11
3.2k
【リラン】AIの光と闇?失敗しないために知っておきたいAIリスクとその対応 ①政府の動き編
tkhresk
0
140
本番環境で Cloudflareを 使ってみた話
miu_crescent
2
120
生成AIがもたらす変革 / GitHubGalaxy_CyberAgent
cyberagentdevelopers
PRO
2
110
回り回って効いてくる副次的効果としての技術広報/techpr
nishiuma
1
180
Featured
See All Featured
Raft: Consensus for Rubyists
vanstee
133
6.3k
What's in a price? How to price your products and services
michaelherold
238
11k
GitHub's CSS Performance
jonrohan
1025
450k
Fantastic passwords and where to find them - at NoRuKo
philnash
39
2.5k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
Building a Scalable Design System with Sketch
lauravandoore
457
32k
Product Roadmaps are Hard
iamctodd
45
9.8k
Facilitating Awesome Meetings
lara
43
5.6k
How STYLIGHT went responsive
nonsquared
92
4.8k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Rails Girls Zürich Keynote
gr2m
91
13k
Transcript
WordPress ͱηΩϡϦ ςΟʹ͍͔ͭͯΜ͕͑Δ Toro_Unit @Shinshu WP Meetup vol.12 1
$ whoami 2
Toro_Unit ෦ ߛ (͏Β ͻΖ͠) • Frontend Engineer • WordPress
Plugin and Theme Developer Github: @torounit Twitter: @Toro_Unit 3
ʮηΩϡϦςΟʯʹ͍ͭͯߟ͑Α͏ͱ͍͏͜ͱͰ 4
ͳΜ͔ͯ͠·͢ʁηΩϡϦςΟରࡦ 5
࠷ݶ • WordPress ͷ࠷৽൛Λ͏ɻ • ࣗಈߋ৽͕ಈ࡞͢ΔΑ͏ʹɻ • ࠷৽൛ͷςʔϚͱϓϥάΠϯΛ͏ɻ 6
WordPress ͷͷ߈ܸ͋Ε͜Ε Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़ใ | ιϑτΣΞWAFͷJP-Secure
7
• ຊମͷ߈ܸͱ͍͏ͷ࣮গͳ͍ɻ • ϓϥάΠϯɾςʔϚͷ߈ܸ͕6ׂɻ 8
/wp-content/themes/urbancity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/trinity/lib/scripts/ download.php?file=../../../../../wp-config.php /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php /wp-content/themes/lote27/download.php?download=../../../wp-config.php /wp-content/themes/authentic/includes/download.php? file=../../../../wp-config.php /wp-content/plugins/membership-simplified-for-oap-members-only/
download.php?download_file=.././.././.././wp-config.php /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php? download_file=../../../wp-config.php Ҿ༻ݩɿJP-Secure Labs Report Vol.03 | ٕज़ใ | ιϑτΣΞWAFͷJP- Secure 9
ެࣜϨϙδτϦͷϓϥάΠϯͰ੬ऑੑͷใࠂ͕࠷ۙ͋Γ·͠ ͨɻ ใࠂ ରͷϓϥάΠϯ Πϯετʔϧ όʔδϣϯ ੬ऑੑ 2019/03/15 Easy WP
SMTP 40ສ݅ 1.3.9Ҏલ ཧऀͷಛݖঢ֨ 2019/03/21 Social Warfare 6ສ݅ 3.5.2Ҏલ XSSʢ֨ೲܕʣɺ ҙίʔυͷ࣮ߦ 2019/03/30 Yuzo Related Posts 6ສ݅ 5.12.91Ҏલ XSSʢ֨ೲܕʣ 2019/04/09 Visual CSS Style Editor 3ສ݅ 7.1.9Ҏલ ཧऀͷಛݖঢ֨ WordPressϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ - piyolog 10
Πϯετʔϧ͕ଟ͍ != ҆શ • ͻͱͭͷج४ʹҧ͍ͳ͍͚Ͳɺ҆શੑɾ࣭Λอূ͢Δج ४Ͱͳ͍ɻ 11
ϓϥάΠϯ 10 બʂΈ͍ͨͳهࣄΛӏವΈʹ͠ͳ͍ɻ 12
• ඞਢϓϥάΠϯͳͲͳ͍ʂ • ඞਢϓϥάΠϯͳΜͯॻ͍ͯΔਓͷใͯʹͳΒΜɻ 13
ςʔϚͷબͼํ 14
• αϙʔτେৎʁ • ༗ྉ != ࣭ɻ࣭ʹ͍Ζ͍Ζ͋Δɻ 15
• ςʔϚʹಉࠝ͞Ε͍ͯΔϑΥʔϜϓϥάΠϯ͕Ξοϓσʔτ ͞Εͣɺ߈ܸ͞ΕΔͱ͍͏ࣄྫɻ • ༗ྉςʔϚʹ߈ܸίʔυ͕ࠞೖ͍ͯͨ͠έʔεɻ 16
ͱΓ͋͑ͣɺWordPress.org ܝࡌͷςʔϚʹ͓ͯ͘͠ͷ͕ແɻ • ͜͜ʹܝࡌ͢ΔʹɺςʔϚͷϨϏϡʔΛ௨ա͢Δඞཁ͋Γɻ࠷ݶͷ࣭ ʢ҆શੑɾ૬ޓӡ༻ੑʣ୲อ͞Ε͍ͯΔ • Ծʹ༗ྉςʔϚΛങ͏ͳΒɺhttps://ja.wordpress.org/themes/commercial/ ʹܝࡌ͞Ε͍ͯΔϞϊɺແྉ൛ͳͲΛɺWP.org ʹܝࡌ͍ͯ͠Δ࡞ऀͷϞϊ Λ͓͢͢Ί͠·͢ɻ
• Snow Monkey • Lightling • LIQUID PRESS • etc... 17
GPL • ແอূ • ࣗ༝ͳෳɾվมɾ൦͕ڐՄ • ίϐʔϨϑτ 18
݁ہͷॴɺ࡞ऀͱͷ͓͖߹͍ • ͘͠શͯࣗ࡞ɻ(ϋʔυϞʔυ) • ʮܧଓ͓͖ͯ͠߹͍͍͚ͯ͠Δ͔Ͳ͏͔ʁʯʮܧଓͨ͠α ϙʔτʯྑ͍બఆج४ɻ 19
• https://wptavern.com/pluginvulnerabilities-com-is- protesting-wordpress-org-support-forum-moderators-by- publishing-zero-day-vulnerabilities • https://www.jp-secure.com/tech/jpsecure-labs/report03/ • https://piyolog.hatenadiary.jp/entry/2019/04/17/183000 • https://capitalp.jp/2017/01/18/sucuri-2016q3/
• https://blog.tokumaru.org/2019/04/Wordpress-Visual-CSS- Style-Editor-privilege-escalation.html?spref=tw 20
Thanks! Github: @torounit Twitter: @Toro_Unit Facebook: fb.me/torounit Blog: https://torounit.com 21