{"id":2921,"date":"2016-05-03T20:41:31","date_gmt":"2016-05-03T20:41:31","guid":{"rendered":"http:\/\/musilda.cz\/?p=2921"},"modified":"2016-05-03T20:41:31","modified_gmt":"2016-05-03T20:41:31","slug":"xss-zranitelnost-v-pluginu-bbpress","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/xss-zranitelnost-v-pluginu-bbpress\/","title":{"rendered":"XSS zranitelnost v pluginu bbPress"},"content":{"rendered":"<p>bbPress je popul\u00e1rn\u00ed WordPress plugin, kter\u00fd je aktivn\u00ed na 300 000 webech po cel\u00e9m sv\u011bt\u011b. A pr\u00e1v\u011b v n\u011bm, ojev\u00edl t\u00fdm ze Sucuri, XSS zranitelnost.<\/p>\n<p>Tato chyba, umo\u017e\u0148uje potencion\u00e1ln\u00edm \u00fato\u010dn\u00edk\u016fm, vlo\u017eit \u0161kodliv\u00fd k\u00f3d, do \u010dl\u00e1nk\u016f, nebo koment\u00e1\u0159\u016f. N\u00e1sledn\u011b m\u016f\u017ee \u00fato\u010dn\u00edk z\u00edskat p\u0159\u00edstupy, nebo opr\u00e1vn\u011bn\u00ed jin\u00fdch u\u017eivatel\u016f a napadnout web.<\/p>\n<p>Nyn\u00ed ke konkr\u00e9tn\u00ed chyb\u011b &#8211; v\u0161echny p\u0159\u00edsp\u011bvky a odpov\u011bdi, jsou sanitov\u00e1ny, pomoc\u00ed funkce wp_kses(), kter\u00e1 se zjednodu\u0161en\u011b \u0159e\u010deno, star\u00e1 o to, aby v obsahu byly jen povolen\u00e9 tagy a jejich atributy.<\/p>\n<p>N\u00e1sledn\u011b je obsah odesl\u00e1n do n\u011bkolika hook\u016f bbPressu. A jeden z nich &#8211;\u00a0bbp_mention_filter, pou\u017e\u00edv\u00e1 regul\u00e1rn\u00ed v\u00fdraz, kter\u00fd hled\u00e1 tak zvan\u00e9 zm\u00ednky. A v pou\u017eit\u00ed tohoto regul\u00e1ru je skryt\u00e1 XSS zranitelnost.<\/p>\n<p>Verze bbPressu 2.5.9, kter\u00e1 byla vyd\u00e1na 2.5.2016 ji\u017e tuto chybu opravuje.<\/p>\n<p>Detaily o zranitelnosti <a href=\"https:\/\/blog.sucuri.net\/2016\/05\/security-advisory-stored-xss-bbpress-2.html\" target=\"_blank\" rel=\"noopener\">najdete zde<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>bbPress je popul\u00e1rn\u00ed WordPress plugin, kter\u00fd je aktivn\u00ed na 300 000 webech po cel\u00e9m sv\u011bt\u011b. A pr\u00e1v\u011b v n\u011bm, ojev\u00edl t\u00fdm ze Sucuri, XSS zranitelnost. Tato chyba, umo\u017e\u0148uje potencion\u00e1ln\u00edm \u00fato\u010dn\u00edk\u016fm, vlo\u017eit \u0161kodliv\u00fd k\u00f3d, do \u010dl\u00e1nk\u016f, nebo koment\u00e1\u0159\u016f. N\u00e1sledn\u011b m\u016f\u017ee \u00fato\u010dn\u00edk z\u00edskat p\u0159\u00edstupy, nebo opr\u00e1vn\u011bn\u00ed jin\u00fdch u\u017eivatel\u016f a napadnout web. Nyn\u00ed ke konkr\u00e9tn\u00ed chyb\u011b &#8211; v\u0161echny<\/p>\n","protected":false},"author":1,"featured_media":2807,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[6],"tags":[],"class_list":["post-2921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost-wordpressu"],"uagb_featured_image_src":{"full":["https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2016\/03\/shield.jpg",179,120,false],"thumbnail":["https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2016\/03\/shield-150x120.jpg",150,120,true],"medium":["https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2016\/03\/shield.jpg",179,120,false],"medium_large":["https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2016\/03\/shield.jpg",179,120,false],"large":["https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2016\/03\/shield.jpg",179,120,false],"1536x1536":["https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2016\/03\/shield.jpg",179,120,false],"2048x2048":["https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2016\/03\/shield.jpg",179,120,false],"archive-list":["https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2016\/03\/shield.jpg",179,120,false]},"uagb_author_info":{"display_name":"Affinite","author_link":"https:\/\/affinite.io\/cs\/author\/affinite\/"},"uagb_comment_info":0,"uagb_excerpt":"bbPress je popul\u00e1rn\u00ed WordPress plugin, kter\u00fd je aktivn\u00ed na 300 000 webech po cel\u00e9m sv\u011bt\u011b. A pr\u00e1v\u011b v n\u011bm, ojev\u00edl t\u00fdm ze Sucuri, XSS zranitelnost. Tato chyba, umo\u017e\u0148uje potencion\u00e1ln\u00edm \u00fato\u010dn\u00edk\u016fm, vlo\u017eit \u0161kodliv\u00fd k\u00f3d, do \u010dl\u00e1nk\u016f, nebo koment\u00e1\u0159\u016f. N\u00e1sledn\u011b m\u016f\u017ee \u00fato\u010dn\u00edk z\u00edskat p\u0159\u00edstupy, nebo opr\u00e1vn\u011bn\u00ed jin\u00fdch u\u017eivatel\u016f a napadnout web. Nyn\u00ed ke konkr\u00e9tn\u00ed chyb\u011b &#8211; v\u0161echny","_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/2921"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=2921"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/2921\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/2807"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=2921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=2921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=2921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}