{"id":6437,"date":"2021-10-27T16:38:17","date_gmt":"2021-10-27T16:38:17","guid":{"rendered":"https:\/\/musilda.cz\/?p=6437"},"modified":"2021-10-27T16:38:17","modified_gmt":"2021-10-27T16:38:17","slug":"vazna-zranitelnost-v-pluginu-optin-monster-ohrozuje-vice-nez-1-000-000-webu","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/vazna-zranitelnost-v-pluginu-optin-monster-ohrozuje-vice-nez-1-000-000-webu\/","title":{"rendered":"V\u00e1\u017en\u00e1 zranitelnost v pluginu Optin Monster ohro\u017euje v\u00edce ne\u017e 1 000 000 web\u016f"},"content":{"rendered":"\n
Optin Monster je velmi obl\u00edben\u00fd plugin pro vytv\u00e1\u0159en\u00ed prodejn\u00edch kampan\u00ed na WordPress webech. Verze pluginu ni\u017e\u0161\u00ed ne\u017e 2.6.5 velmi v\u00e1\u017enou zranitelnost, umo\u017e\u0148uj\u00edc\u00ed napadnou web.<\/p>\n\n\n\n
Plugin je dost roz\u0161\u00ed\u0159en\u00fd nato, aby jste tento probl\u00e9m brali dostate\u010dn\u011b v\u00e1\u017en\u011b. <\/p>\n\n\n\n
Optin Monster stejn\u011b jako site app, pro p\u0159enos dat pou\u017e\u00edv\u00e1 \u0159adu API endpoint\u016f, na kter\u00e9 jsou data sm\u011b\u0159ov\u00e1na.<\/p>\n\n\n\n
Bohu\u017eel, v\u011bt\u0161ina Rest API endpoint\u016f je velmi slab\u011b chr\u00e1n\u011bna a o\u0161et\u0159ena, proti p\u0159\u00edstupu neautorizovan\u00fdch u\u017eivatel\u016f na r\u016fzn\u00e9 endpointy na webu, kde je nainstalov\u00e1na zraniteln\u00e1 verze pluginu. <\/p>\n\n\n\n
Nejv\u00edce kritick\u00fd je p\u0159\u00edstup na Rest API endpoint \/wp-json\/omapp\/v1\/support\/, kter\u00fd umo\u017e\u0148uje z\u00edskat citliv\u00e9 informace, nap\u0159\u00edklad server path, spole\u010dn\u011b s API kl\u00ed\u010dem, kter\u00fd je vy\u017eadov\u00e1n pro zas\u00edl\u00e1n\u00ed request\u016f na OptinMonster web. <\/p>\n\n\n\n
S API kl\u00ed\u010dem m\u016f\u017ee \u00fato\u010dn\u00edk z\u00edskat p\u0159\u00edstup ke kampan\u00edm, kter\u00e9 m\u00e1te nastaven\u00e9 a ty pozm\u011bnit takov\u00fdm zp\u016fsobem, \u017ee do nich p\u0159id\u00e1 z\u00e1ke\u0159n\u00fd Javascript k\u00f3d, kter\u00fd m\u016f\u017ee kdykoliv spustit.<\/p>\n\n\n\n
Nejhor\u0161\u00ed na tom je, \u017ee \u00fato\u010dn\u00edk nemus\u00ed b\u00fdt nijak p\u0159ihl\u00e1\u0161en, nebo autorizov\u00e1n, proto\u017ee API endpoint m\u00e1 na parametru permisionss_callback implementov\u00e1nu funkci logged_in_or_has_api_key. <\/p>\n\n\n\n
Ta umo\u017e\u0148uje p\u0159i requestu na endpoint, kter\u00fd m\u00e1 jako referer nastaveno https:\/\/wp.app.optinmonster.test a request method = options, z\u00edskat jako odpov\u011b\u010f funkce true. <\/p>\n\n\n\n
Pak ji\u017e sta\u010d\u00ed nastavit X-HTTP-Method-Override na GET, nebo POST pro \u00fasp\u011b\u0161n\u00e9 vykon\u00e1n\u00ed requestu.<\/p>\n\n\n\n
Funkce logged_in_or_has_api_key:<\/p>\n\n\n\n
public function logged_in_or_has_api_key( $request ) {\n if (\n ! empty( $_SERVER['HTTP_REFERER'] )\n && false !== strpos( $_SERVER['HTTP_REFERER'], 'https:\/\/wp.app.optinmonster.test' )\n && 'OPTIONS' === $_SERVER['REQUEST_METHOD']\n ) {\n return true;\n }\n\n return is_user_logged_in() || true === $this->has_valid_api_key( $request );\n}<\/code><\/pre>\n\n\n\nV p\u0159\u00edpad\u011b, \u017ee m\u00e1te podez\u0159en\u00ed, \u017ee v\u00e1\u0161 web byl napaden p\u0159es OptinMonster, podpora v\u00e1m zneplatn\u00ed v\u00e1\u0161 API kl\u00ed\u010d a vygeneruje v\u00e1m nov\u00fd. <\/p>\n\n\n\n
V ka\u017ed\u00e9m p\u0159\u00edpad\u011b tato chyba neovliv\u0148uje pouze tento konkr\u00e9tn\u00ed endpoint, ale i dal\u0161\u00ed, kter\u00e9 jsou pluginem registrov\u00e1ny, proto bez prodlevy aktualizujte plugin na verzi 2,6,5, kter\u00e1 obsahuje z\u00e1platu.<\/p>\n\n\n\n