{"id":6536,"date":"2021-11-29T10:43:00","date_gmt":"2021-11-29T10:43:00","guid":{"rendered":"https:\/\/musilda.cz\/?p=6536"},"modified":"2021-11-29T10:43:00","modified_gmt":"2021-11-29T10:43:00","slug":"dve-zranitelnosti-v-popularnim-pluginu-hide-my-wp","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/dve-zranitelnosti-v-popularnim-pluginu-hide-my-wp\/","title":{"rendered":"Dv\u011b zranitelnosti v popul\u00e1rn\u00edm pluginu Hide my WP"},"content":{"rendered":"\n

Pr\u00e9miov\u00fd plugin Hide my WP, kter\u00fd m\u00e1 na CodeCanyon t\u00e9m\u011b\u0159 30 tis\u00edc prodej\u016f, obsahuje dv\u011b z\u00e1va\u017en\u00e9 zranitelnosti. Ob\u011b byly opraveny ve verzi 6.2.4, proto neot\u00e1lejte s aktualizac\u00ed.<\/p>\n\n\n\n

Hide My WP je plugin, kter\u00fd umo\u017e\u0148uje skr\u00fdt co nejv\u00edce zn\u00e1mek toho, \u017ee web je postaven\u00fd na WordPressu. Je zmi\u0148ov\u00e1n v mnoha \u010dl\u00e1nc\u00edch na r\u016fzn\u00fdch webech, v\u010detn\u011b musilda.cz, jako jedno z mo\u017en\u00fdch vylep\u0161en\u00ed bezpe\u010dnosti. <\/p>\n\n\n\n

Bohu\u017eel, obsahuje zranitelnosti, kter\u00e9 objevil t\u00fdm https:\/\/patchstack.com\/<\/a> a okam\u017eit\u011b kontaktoval autory pluginu. Ten nezareagoval ani po t\u00fddnu, proto kontaktovali Evato, kter\u00e9 zareagovalo do deseti minut. V\u00fdvoj\u00e1\u0159 pak po dal\u0161\u00edch dvaceti jedna dnech, vydal opravu. <\/p>\n\n\n\n

U pluginu, kter\u00fd m\u00e1 zvy\u0161ovat zabezpe\u010den\u00ed webu, by m\u011bla b\u00fdt reakce podstatn\u011b rychlej\u0161\u00ed.<\/p>\n\n\n\n

Poj\u010fme v\u0161ak ke zranitelnostem. <\/p>\n\n\n\n

Prvn\u00ed zranitelnost umo\u017e\u0148uje p\u0159ihl\u00e1\u0161en\u00e9mu u\u017eivateli jak\u00e9koliv \u00farovn\u011b deaktivovat plugin. <\/strong><\/p>\n\n\n\n

Sta\u010d\u00ed jednodu\u0161e vyvolat url<\/p>\n\n\n\n

\/wp-admin\/admin-ajax.php?die_message=new_admin&action=heartbeat<\/code><\/pre>\n\n\n\n
a proto\u017ee funkce die_message() nekontroluje opr\u00e1vn\u011bn\u00ed u\u017eivatele, vyp\u00ed\u0161e na obrazovku option hmwp_reset_token, kter\u00e9  pak lze vyu\u017e\u00edt k deaktivaci pluginu p\u0159i na\u010dten\u00ed souboru \/wp-content\/plugins\/hide_my_wp\/d.php z root slo\u017eky pluginu.<\/p>\n\n\n\n
Fix: do funkce byla p\u0159id\u00e1na kontrola opr\u00e1vn\u011bn\u00ed u\u017eivatele. <\/p>\n\n\n\n
Druh\u00e1 zranitelnost je v\u00e1\u017en\u011bj\u0161\u00ed, proto\u017ee umo\u017e\u0148uje pou\u017e\u00edt SQL injection.<\/strong><\/p>\n\n\n\n
K\u00f3d, kter\u00fd umo\u017e\u0148uje injection vypad\u00e1 takto:<\/p>\n\n\n\n
$user_ip = $this->hmwp_get_user_ip();\n$dbips_info = $wpdb->get_var(\"SELECT `ip` FROM `{$blocked_ips_table}` WHERE `allow`='1' AND `ip`='{$user_ip}'\");<\/code><\/pre>\n\n\n\n
Metoda hmwp_get_user_ip se sna\u017e\u00ed z\u00edskat ip adresu z r\u016fzn\u00fdch hlavi\u010dek a to u z t\u011bch, kter\u00e9 mohou b\u00fdt podvr\u017eeny. Vlo\u017een\u00edm \u0161kodliv\u00e9ho k\u00f3du do jedn\u00e9 z t\u011bchto hlavi\u010dek, dojde k jeho pou\u017eit\u00ed v SQL dotazu a injection je na sv\u011bt\u011b. <\/p>\n\n\n\n
Nap\u0159\u00edklad pomoc\u00ed CURL:<\/p>\n\n\n\n
curl --location --request GET \"https:\/\/example.com\" --header \"X-Forwarded-For: 1' union all select sleep(3)#\n\"<\/code><\/pre>\n\n\n\n
Zranitelnost byla opravena p\u0159eps\u00e1n\u00edm SQL dotazu z metody get_var na prepare, kter\u00e1 vstupy sanituje a v kter\u00e9 se mus\u00ed definovat typ prom\u011bnn\u00e9, jen\u017e m\u00e1 b\u00fdt v dotazu pou\u017eita. <\/p>\n\n\n\n
Z\u00e1v\u011br:<\/strong><\/p>\n\n\n\n
Pokud pou\u017e\u00edv\u00e1te plugin, nezb\u00fdv\u00e1 v\u00e1m, ne\u017e jej zaktualizovat. Bohu\u017eel, se jedn\u00e1 o pr\u00e9miov\u00fd plugin, tak\u017ee aktualizace z WordPress repozit\u00e1\u0159e nen\u00ed k dispozici a automatickou v\u00e1m to nab\u00eddne, pouze, pokud m\u00e1te obnovenou p\u016flro\u010dn\u00ed subscription. Co\u017e u plugin\u016f z Codecanyonu nen\u00ed zrovna b\u011b\u017en\u00e9. <\/p>\n","protected":false},"excerpt":{"rendered":"
Pr\u00e9miov\u00fd plugin Hide my WP, kter\u00fd m\u00e1 na CodeCanyon t\u00e9m\u011b\u0159 30 tis\u00edc prodej\u016f, obsahuje dv\u011b z\u00e1va\u017en\u00e9 zranitelnosti. Ob\u011b byly opraveny ve verzi 6.2.4, proto neot\u00e1lejte s aktualizac\u00ed. Hide My WP je plugin, kter\u00fd umo\u017e\u0148uje skr\u00fdt co nejv\u00edce zn\u00e1mek toho, \u017ee web je postaven\u00fd na WordPressu. Je zmi\u0148ov\u00e1n v mnoha \u010dl\u00e1nc\u00edch na r\u016fzn\u00fdch webech, v\u010detn\u011b musilda.cz,<\/p>\n","protected":false},"author":1,"featured_media":9468,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[6],"tags":[],"class_list":["post-6536","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost-wordpressu"],"_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/6536"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=6536"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/6536\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/9468"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=6536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=6536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=6536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}