{"id":6995,"date":"2023-11-16T19:23:24","date_gmt":"2023-11-16T19:23:24","guid":{"rendered":"https:\/\/musilda.cz\/?p=6995"},"modified":"2023-11-16T19:23:24","modified_gmt":"2023-11-16T19:23:24","slug":"chyba-pluginu-wp-fastest-cache-ohrozuje-600-000-wordpress-webu","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/chyba-pluginu-wp-fastest-cache-ohrozuje-600-000-wordpress-webu\/","title":{"rendered":"Chyba pluginu WP Fastest Cache ohro\u017euje 600 000 WordPress web\u016f"},"content":{"rendered":"\n

B\u011bhem intern\u00ed revize pluginu WP Fastest Cache byla t\u00fdmem WPScan odhalena z\u00e1va\u017en\u00e1 zranitelnost typu SQL injection. Tato zranitelnost m\u016f\u017ee umo\u017enit neautentifikovan\u00fdm \u00fato\u010dn\u00edk\u016fm p\u0159e\u010d\u00edst cel\u00fd obsah datab\u00e1ze WordPressu prost\u0159ednictv\u00edm \u010dasov\u011b z\u00e1visl\u00e9 slep\u00e9 z\u00e1t\u011b\u017ee SQL injection.<\/p>\n\n\n\n

Jakmile byla zranitelnost odhalena, t\u00fdm WPScan neprodlen\u011b upozornil v\u00fdvoj\u00e1\u0159e pluginu, kte\u0159\u00ed n\u00e1sledn\u011b vydali verzi 1.2.2, kter\u00e1 tuto zranitelnost opravuje. Je nezbytn\u00e9, aby spr\u00e1vci WordPressu zajistili plnou aktualizaci sv\u00fdch instalac\u00ed, aby se \u00fa\u010dinn\u011b ochr\u00e1nili p\u0159ed touto zranitelnost\u00ed.<\/p>\n\n\n\n

Funkce is_user_admin t\u0159\u00eddy WpFastestCacheCreateCache je zraniteln\u00e1 v\u016f\u010di n\u00e1stroji SQL Injection. Funkce je vol\u00e1na z funkce createCache.<\/p>\n\n\n\n

public function is_user_admin(){\n            global $wpdb;\n\n            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){\n                if(preg_match(\"\/wordpress_logged_in\/i\", $cookie_key)){\n                    $username = preg_replace(\"\/^([^\\|]+)\\|.+\/\", \"$1\", $cookie_value);\n                    break;\n                }\n            }\n\n            if(isset($username) && $username){\n                $res = $wpdb->get_var(\"SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`\n                                       FROM `$wpdb->users`\n                                       INNER JOIN `$wpdb->usermeta`\n                                       ON `$wpdb->users`.`user_login` = \\\"$username\\\" AND\n                                       `$wpdb->usermeta`.`meta_key` LIKE \\\"%_user_level\\\" AND\n                                       `$wpdb->usermeta`.`meta_value` = \\\"10\\\" AND\n                                       `$wpdb->users`.`ID` = `$wpdb->usermeta`.user_id ;\"\n                                    );\n\n                return $res;\n            }\n\n            return false;\n        }\n<\/code><\/pre>\n\n\n\n

Funkce, kter\u00e1 je sou\u010d\u00e1st\u00ed z\u00e1suvn\u00e9ho modulu, na\u010d\u00edt\u00e1 prom\u011bnnou $username z libovoln\u00e9ho souboru cookie, jeho\u017e n\u00e1zev obsahuje text wordpress_logged_in, a extrahuje data a\u017e do prvn\u00edho znaku ‚|‘. Tato prom\u011bnn\u00e1 je n\u00e1sledn\u011b vkl\u00e1d\u00e1na do datab\u00e1zov\u00e9ho dotazu bez jak\u00e9hokoli escapov\u00e1n\u00ed. Je d\u016fle\u017eit\u00e9 si uv\u011bdomit, \u017ee tato funkce je aktivov\u00e1na p\u0159i spu\u0161t\u011bn\u00ed z\u00e1suvn\u00e9ho modulu, co\u017e je p\u0159ed zavol\u00e1n\u00edm funkce wp_magic_quotes() na data po\u017eadavku.<\/p>\n\n\n\n

Proto\u017ee v\u00fdsledky SQL dotazu nejsou vyu\u017e\u00edv\u00e1ny mimo tuto funkci, neexistuje p\u0159\u00edm\u00fd zp\u016fsob, jak se k nim dostat. Av\u0161ak metoda time-based blind SQL injection m\u016f\u017ee vyu\u017e\u00edt t\u00e9to zranitelnosti k z\u00edsk\u00e1n\u00ed libovoln\u00fdch informac\u00ed z datab\u00e1ze.<\/p>\n\n\n\n

Pokud tento modul pou\u017e\u00edv\u00e1te na sv\u00fdch webech, neot\u00e1lejte s aktualizac\u00ed.<\/p>\n\n\n\n

Zdroj: https:\/\/wpscan.com\/blog\/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2\/<\/p>\n","protected":false},"excerpt":{"rendered":"

B\u011bhem intern\u00ed revize pluginu WP Fastest Cache byla t\u00fdmem WPScan odhalena z\u00e1va\u017en\u00e1 zranitelnost typu SQL injection. Tato zranitelnost m\u016f\u017ee umo\u017enit neautentifikovan\u00fdm \u00fato\u010dn\u00edk\u016fm p\u0159e\u010d\u00edst cel\u00fd obsah datab\u00e1ze WordPressu prost\u0159ednictv\u00edm \u010dasov\u011b z\u00e1visl\u00e9 slep\u00e9 z\u00e1t\u011b\u017ee SQL injection. Jakmile byla zranitelnost odhalena, t\u00fdm WPScan neprodlen\u011b upozornil v\u00fdvoj\u00e1\u0159e pluginu, kte\u0159\u00ed n\u00e1sledn\u011b vydali verzi 1.2.2, kter\u00e1 tuto zranitelnost opravuje. Je nezbytn\u00e9,<\/p>\n","protected":false},"author":1,"featured_media":6996,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-6995","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost-wordpressu"],"_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/6995"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=6995"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/6995\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/6996"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=6995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=6995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=6995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}