{"id":4000,"date":"2017-07-04T15:05:53","date_gmt":"2017-07-04T15:05:53","guid":{"rendered":"http:\/\/musilda.cz\/?p=4000"},"modified":"2017-07-04T15:05:53","modified_gmt":"2017-07-04T15:05:53","slug":"sql-injection-zranitelnost-wp-statistics","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/sql-injection-zranitelnost-wp-statistics\/","title":{"rendered":"SQL Injection zranitelnost WP Statistics"},"content":{"rendered":"<p>V r\u00e1mci projektu v\u00fdzkumu zranitelnosti pro <a href=\"https:\/\/sucuri.net\/website-firewall\/\" target=\"_blank\" rel=\"noopener\">firewall Sucuri<\/a> byly auditov\u00e1ny obl\u00edben\u00e9 open source projekty a hled\u00e1ny bezpe\u010dnostn\u00ed probl\u00e9my.<\/p>\n<p>B\u011bhem pr\u00e1ce na pluginu <a href=\"https:\/\/wordpress.org\/plugins\/wp-statistics\/\" target=\"_blank\" rel=\"noopener\">WP Statistics<\/a>, byla objevena zranitelnost SQL Injection. Tento plugin je aktu\u00e1ln\u011b nainstalov\u00e1n na v\u00edce ne\u017e\u00a0<strong>300 000<\/strong>\u00a0webov\u00fdch str\u00e1nk\u00e1ch.<\/p>\n<h2>Jste v nebezpe\u010d\u00ed?<\/h2>\n<p>Tato zranitelnost je zp\u016fsobena nedostate\u010dnou kontrolou dat, poskytnut\u00fdch u\u017eivatelem. \u00dato\u010dn\u00edk s \u00fa\u010dtem na \u00farovni odb\u011bratele by mohl z\u00edskat citliv\u00e1 data a za p\u0159\u00edhodn\u00fdch okolnost\u00ed\/konfigurace dokonce ohrozit instalaci cel\u00e9ho WordPressu.<\/p>\n<p>Pokud m\u00e1te nainstalovanou zranitelnou verzi a va\u0161e str\u00e1nky umo\u017e\u0148uj\u00ed registraci u\u017eivatele, jste ur\u010dit\u011b v nebezpe\u010d\u00ed.<\/p>\n<h2>Technick\u00e9 \u00fadaje<\/h2>\n<p>WordPress poskytuje rozhran\u00ed API, kter\u00e9 umo\u017e\u0148uje v\u00fdvoj\u00e1\u0159\u016fm vytv\u00e1\u0159et obsah, kter\u00fd mohou u\u017eivatel\u00e9 vkl\u00e1dat na ur\u010dit\u00e9 str\u00e1nky pomoc\u00ed jednoduch\u00e9ho shortcodu:<\/p>\n<p>[shortcode atts_1=\u201dtest\u201d atts_2=\u201dtest\u201d]<\/p>\n<p>Krom jin\u00fdch funkc\u00ed, WP Statistics umo\u017e\u0148uje administr\u00e1tor\u016fm z\u00edskat podrobn\u00e9 informace t\u00fdkaj\u00edc\u00ed se po\u010dtu n\u00e1v\u0161t\u011bv pr\u00e1v\u011b t\u00edm, \u017ee zavol\u00e1 n\u00ed\u017ee uveden\u00fd shortcode:<\/p>\n<p><a href=\"http:\/\/musilda.cz\/wp-content\/uploads\/2017\/07\/wpstatistics_shortcode.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4001 aligncenter\" src=\"http:\/\/musilda.cz\/wp-content\/uploads\/2017\/07\/wpstatistics_shortcode.png\" alt=\"\" width=\"600\" height=\"416\" srcset=\"https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2017\/07\/wpstatistics_shortcode.png 600w, https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2017\/07\/wpstatistics_shortcode-300x208.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p>Jak vid\u00edte na obr\u00e1zku v\u00fd\u0161e, n\u011bkter\u00e9 atributy shortcodu <strong>wpstatistics<\/strong> jsou p\u0159ed\u00e1v\u00e1ny jako parametry pro d\u016fle\u017eit\u00e9 funkce, a to by nem\u011blo b\u00fdt probl\u00e9mem, pokud by byly tyto parametry o\u010di\u0161t\u011bny, ale jak uvid\u00edme, tohle nen\u00ed ten p\u0159\u00edpad.<\/p>\n<p>Jedna ze zraniteln\u00fdch funkc\u00ed <strong>wp_statistics_searchengine_query()<\/strong> v souboru &#8222;includes\/functions\/functions.php&#8220; je p\u0159\u00edstupn\u00e1 prost\u0159ednictv\u00edm funkce WordPress &#8218;AJAX d\u00edky z\u00e1kladn\u00ed funkci <strong>wp_ajax_parse_media_shortcode()<\/strong>.<\/p>\n<p>Tato funkce nekontroluje dal\u0161\u00ed opr\u00e1vn\u011bn\u00ed, co\u017e umo\u017en\u00ed registrovan\u00fdm u\u017eivatel\u016fm prov\u00e1d\u011bt tento shortcode a vkl\u00e1dat \u0161kodliv\u00e9 \u00fadaje do jeho atribut\u016f. (Tento \u00fatokov\u00fd vektor byl tak\u00e9 pops\u00e1n <a href=\"https:\/\/blog.sucuri.net\/2016\/08\/sql-injection-vulnerability-ninja-forms.html\" target=\"_blank\" rel=\"noopener\">zde<\/a>).<\/p>\n<p>V mnoha m\u00edstech v k\u00f3du jsou u\u017eivatelsk\u00e9 vstupy poch\u00e1zej\u00edc\u00ed z atribut\u016f shortcodu <strong>wpstatistics\u2019<\/strong> zahrnuty do dotaz\u016f SQL, ani\u017e by byly vy\u010di\u0161t\u011bny. N\u00ed\u017ee je jeden z dotaz\u016f, kter\u00e9 byly vyu\u017eiteln\u00e9:<\/p>\n<p><a href=\"http:\/\/musilda.cz\/wp-content\/uploads\/2017\/07\/wpstatistics_query.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4002 aligncenter\" src=\"http:\/\/musilda.cz\/wp-content\/uploads\/2017\/07\/wpstatistics_query.png\" alt=\"\" width=\"600\" height=\"165\" srcset=\"https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2017\/07\/wpstatistics_query.png 600w, https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2017\/07\/wpstatistics_query-300x83.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p>Funkce <strong>wp_statistics_searchengine_query()<\/strong> vrac\u00ed v podstat\u011b stejnou hodnotu jako ta zadan\u00e1 v <strong>poskytovateli<\/strong> shortcode atribut\u016f a jej\u00ed obsah je p\u0159id\u00e1n p\u0159\u00edmo do dotazu raw SQL query.<\/p>\n<h2>Aktualizujte co nejd\u0159\u00edve<\/h2>\n<p>Pokud pou\u017e\u00edv\u00e1te zranitelnou verzi tohoto pluginu, aktualizujte jej co nejd\u0159\u00edve!<\/p>\n<p>V p\u0159\u00edpad\u011b, \u017ee to nem\u016f\u017eete ud\u011blat, d\u016frazn\u011b doporu\u010dujeme vyu\u017e\u00edvat Sucuri Firewall nebo ekvivalentn\u00ed technologii, aby tuto chybu zabezpe\u010den\u00ed opravdu opravila.<\/p>\n<p>Zdroj:\u00a0<a href=\"https:\/\/blog.sucuri.net\/2017\/06\/sql-injection-vulnerability-wp-statistics.html\" target=\"_blank\" rel=\"noopener\">https:\/\/blog.sucuri.net\/2017\/06\/sql-injection-vulnerability-wp-statistics.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>V r\u00e1mci projektu v\u00fdzkumu zranitelnosti pro firewall Sucuri byly auditov\u00e1ny obl\u00edben\u00e9 open source projekty a hled\u00e1ny bezpe\u010dnostn\u00ed probl\u00e9my. B\u011bhem pr\u00e1ce na pluginu WP Statistics, byla objevena zranitelnost SQL Injection. Tento plugin je aktu\u00e1ln\u011b nainstalov\u00e1n na v\u00edce ne\u017e\u00a0300 000\u00a0webov\u00fdch str\u00e1nk\u00e1ch. Jste v nebezpe\u010d\u00ed? Tato zranitelnost je zp\u016fsobena nedostate\u010dnou kontrolou dat, poskytnut\u00fdch u\u017eivatelem. \u00dato\u010dn\u00edk s \u00fa\u010dtem na<\/p>\n","protected":false},"author":1,"featured_media":4003,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-4000","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost-wordpressu"],"_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/4000"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=4000"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/4000\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/4003"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=4000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=4000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=4000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}