{"id":5489,"date":"2020-04-18T05:57:02","date_gmt":"2020-04-18T05:57:02","guid":{"rendered":"https:\/\/musilda.cz\/?p=5489"},"modified":"2020-04-18T05:57:02","modified_gmt":"2020-04-18T05:57:02","slug":"kriticka-zranitelnost-v-sablone-onetone","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/kriticka-zranitelnost-v-sablone-onetone\/","title":{"rendered":"Kritick\u00e1 zranitelnost v \u0161ablon\u011b OneTone"},"content":{"rendered":"\n

WordPress \u0161ablona OneTone obsahuje kritickou zranitelnost, jen\u017e umo\u017e\u0148uje nasadit \u00fato\u010dn\u00edk\u016fm do va\u0161eho webu \u0161kodliv\u00fd k\u00f3d.<\/p>\n\n\n\n

P\u0159ed n\u011bkolika dny se na n\u00e1s obr\u00e1til z\u00e1kazn\u00edk, s t\u00edm, \u017ee m\u00e1 napaden\u00fd web a i kdy\u017e jej vy\u010dist\u00ed, infekce je za chv\u00edli zp\u011bt. <\/p>\n\n\n\n

Nejprve jsme se domn\u00edvali, \u017ee jde o infekci, jen\u017e se ned\u00e1vno prohnala internetem a jen\u017e vyu\u017e\u00edvala p\u0159edev\u0161\u00edm zraniteln\u00fd adminer, viz. https:\/\/blog.sucuri.net\/2019\/11\/vulnerable-versions-of-adminer-as-a-universal-infection-vector.html<\/a>.<\/p>\n\n\n\n

Na doty\u010dn\u00e9m webu, ale \u017e\u00e1dn\u00fd adminer nebyl, ani \u017e\u00e1dn\u00fd zn\u00e1m\u00fd zraniteln\u00fd plugin. <\/p>\n\n\n\n

Nebudu to prodlu\u017eovat, pr\u016fser<\/s> probl\u00e9m je v \u0161ablon\u011b OneTone od MageeWP<\/a>.<\/p>\n\n\n\n

Ta umo\u017e\u0148uje \u00fato\u010dn\u00edk\u016fm zm\u011bnit option pro nastaven\u00ed \u0161ablony. Konfigurace \u0161ablony se z datab\u00e1ze natahuje p\u0159i na\u010dten\u00ed ka\u017ed\u00e9 str\u00e1nky a \u00fato\u010dn\u00edk\u016fm pak umo\u017en\u00ed prov\u00e1d\u011bt o\u0161kliv\u00e9, nep\u011bkn\u00e9 v\u011bci. <\/p>\n\n\n\n

K\u00f3d, kter\u00fd za to m\u016f\u017ee je tato funkce:<\/p>\n\n\n\n

function\u00a0onetone_options_import(){\n\u00a0\u00a0\u00a0\u00a0$option_name\u00a0=\u00a0onetone_option_name();\n\u00a0\u00a0\u00a0\u00a0if(isset($_POST['options'])){\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$options\u00a0=\u00a0stripslashes($_POST['options']);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$new_options\u00a0=\u00a0json_decode($options,\u00a0true);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if(is_array($new_options)\u00a0&&\u00a0$new_options\u00a0!=\u00a0NULL\u00a0){\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0update_option($option_name,$new_options);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0_e(\u00a0'Import\u00a0successful.',\u00a0'onetone');\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exit(0);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\n\u00a0\u00a0\u00a0\u00a0_e(\u00a0'Import\u00a0failed.',\u00a0'onetone');\n\u00a0\u00a0\u00a0\u00a0exit(0);\n}\nadd_action('wp_ajax_onetone_options_import',\u00a0'onetone_options_import');\nadd_action('wp_ajax_nopriv_onetone_options_import',\u00a0'onetone_options_import');<\/pre>\n\n\n\n
Jde o ajax callback pro ulo\u017een\u00ed nastaven\u00ed \u0161ablony.<\/p>\n\n\n\n
$options\u00a0=\u00a0stripslashes($_POST['options']);<\/pre>\n\n\n\n
Stripslashes opravdu ni\u010demu nezabr\u00e1n\u00ed a \u00fato\u010dn\u00edk si do db ulo\u017e\u00ed co chce, konkr\u00e9tn\u011b n\u011bco takov\u00e9ho:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Screen jsem si p\u016fj\u010dil ze Sucuri.net, odkaz na konci \u010dl\u00e1nku. <\/p>\n\n\n\n
Chov\u00e1n\u00ed scriptu je n\u00e1sleduj\u00edc\u00ed:<\/p>\n\n\n\n
  1. Do top baru, co\u017e je \u010dern\u00e1 li\u0161ta zobrazen\u00e1 administr\u00e1torovi, p\u0159id\u00e1 k\u00f3d, jen\u017e hl\u00edd\u00e1, zda je na\u010d\u00edt\u00e1n soubor wp-admin\/user-new.php<\/li>
  2. Zkontroluje existenci cookie Tho3faeK.<\/li>
  3. Sestav\u00ed pomoc\u00ed parametr\u016f url, kterou p\u0159id\u00e1 k user-new.php.<\/li>
  4. Vyvol\u00e1 POST request a vytvo\u0159\u00ed nov\u00e9ho u\u017eivatele s admin opr\u00e1vn\u011bn\u00edm.<\/li><\/ol>\n\n\n\n
    V\u00fdsledek je zn\u00e1m\u00fd ka\u017ed\u00e9mu, kdo se setkal s napaden\u00fdm webem – doch\u00e1z\u00ed k p\u0159esm\u011brov\u00e1n\u00ed na jin\u00e9 str\u00e1nky a web je tak nedostupn\u00fd. <\/p>\n\n\n\n
    V sou\u010dasn\u00e9 dob\u011b je \u0161ablona odstran\u011bna z WordPress.org, a nen\u00ed zn\u00e1m\u00fd \u017e\u00e1dn\u00fd update s opravou<\/h2>\n\n\n\n
    V dob\u011b psan\u00ed tohoto \u010dl\u00e1nku jsem si st\u00e1hl zip soubor se \u0161ablonou a k\u00f3d je st\u00e1le zraniteln\u00fd. <\/p>\n\n\n\n
    Pokud m\u00e1te \u0161ablonu nainstalovanou, okam\u017eit\u011b ji odstra\u0148te.<\/p>\n\n\n\n
    Odkazy:<\/strong><\/p>\n\n\n\n
    https:\/\/blog.sucuri.net\/2020\/04\/onetone-vulnerability-leads-to-javascript-cookie-hijacking.html<\/a><\/p>\n\n\n\n
    https:\/\/blog.nintechnet.com\/unauthenticated-stored-xss-vulnerability-in-wordpress-onetone-theme-unpatched\/<\/a><\/p>\n\n\n\n
    Pokud r\u00e1di riskujete – https:\/\/mageewp.com\/onetone-theme.html<\/a><\/p>\n\n\n\n
     <\/p>\n","protected":false},"excerpt":{"rendered":"
    WordPress \u0161ablona OneTone obsahuje kritickou zranitelnost, jen\u017e umo\u017e\u0148uje nasadit \u00fato\u010dn\u00edk\u016fm do va\u0161eho webu \u0161kodliv\u00fd k\u00f3d. P\u0159ed n\u011bkolika dny se na n\u00e1s obr\u00e1til z\u00e1kazn\u00edk, s t\u00edm, \u017ee m\u00e1 napaden\u00fd web a i kdy\u017e jej vy\u010dist\u00ed, infekce je za chv\u00edli zp\u011bt. Nejprve jsme se domn\u00edvali, \u017ee jde o infekci, jen\u017e se ned\u00e1vno prohnala internetem a jen\u017e vyu\u017e\u00edvala<\/p>\n","protected":false},"author":1,"featured_media":5492,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-5489","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost-wordpressu"],"_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/5489"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=5489"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/5489\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/5492"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=5489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=5489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=5489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}