{"id":7653,"date":"2024-01-18T15:00:00","date_gmt":"2024-01-18T15:00:00","guid":{"rendered":"https:\/\/musilda.cz\/?p=7653"},"modified":"2024-01-18T15:00:00","modified_gmt":"2024-01-18T15:00:00","slug":"zranitelnost-wordpress-pluginu-complianz","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/zranitelnost-wordpress-pluginu-complianz\/","title":{"rendered":"Zranitelnost WordPress pluginu Complianz"},"content":{"rendered":"\n<p>Popul\u00e1rn\u00ed plugin pro dodr\u017eov\u00e1n\u00ed ochrany osobn\u00edch \u00fadaj\u016f s v\u00edce ne\u017e 800 000 instalacemi ned\u00e1vno opravil zranitelnost XSS, kter\u00e1 \u00fato\u010dn\u00edkovi dok\u00e1zala umo\u017enit nahr\u00e1v\u00e1n\u00ed \u0161kodliv\u00fdch skript\u016f pro spou\u0161t\u011bn\u00ed \u00fatok\u016f.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">O pluginu Complianz<\/h2>\n\n\n\n<p>Jedn\u00e1 se o GDPR\/CCPA Cookie plugin vyu\u017e\u00edvan\u00fd pro spr\u00e1vu a pou\u017e\u00edv\u00e1n\u00ed cookies ve WordPressu, kter\u00fd je jedn\u00edm z nejpopul\u00e1rn\u011bj\u0161\u00edch cookie plugin\u016f.<\/p>\n\n\n\n<p>Pokud plugin Complianz pou\u017e\u00edv\u00e1te, nezapome\u0148te jej updatovat alespo\u0148 na verzi 6.5.6 a vy\u0161\u0161\u00ed, kde ji\u017e byla zranitelnost pluginu opravena.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-plugin-directory wp-block-embed-plugin-directory\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"0BKexO6M6p\"><a href=\"https:\/\/cs.wordpress.org\/plugins\/complianz-gdpr\/\" target=\"_blank\" rel=\"noopener\">Complianz &#8211; GDPR\/CCPA Cookie Consent<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8222;Complianz &#8211; GDPR\/CCPA Cookie Consent&#8220; &#8212; Plugin Directory\" src=\"https:\/\/cs.wordpress.org\/plugins\/complianz-gdpr\/embed\/#?secret=wuSFIFcvXc#?secret=0BKexO6M6p\" data-secret=\"0BKexO6M6p\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Complianz obsahoval z\u00e1va\u017en\u00e9 riziko<\/h2>\n\n\n\n<p>Uk\u00e1zalo se, \u017ee je v pluginu ulo\u017een\u00e9 XSS(Cross-Site Scripting), co\u017e je pova\u017eov\u00e1no za bezpe\u010dnostn\u00ed ohro\u017een\u00ed, jeliko\u017e povoluje \u00fato\u010dn\u00edkovi nahr\u00e1vat na web \u0161kodliv\u00fd k\u00f3d(nej\u010dast\u011bji JavaScript).<\/p>\n\n\n\n<p>Zranitelnost pluginu se vyskytuje v administra\u010dn\u00edch nastaven\u00edch Complianz, a to kv\u016fli dv\u011bma hlavn\u00edm chyb\u011bj\u00edc\u00edm bezpe\u010dnostn\u00edm funkc\u00edm:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Sanitace vstupu<\/strong>(Input Sanitization)\n<ul class=\"wp-block-list\">\n<li>Sanitizace vstupu by m\u011bla zaji\u0161\u0165ovat, \u017ee vstupn\u00ed data odpov\u00eddaj\u00ed po\u017eadavk\u016fm, \u010d\u00edm\u017e se vy\u0159ad\u00ed zbyte\u010dn\u00e9 znaky, kter\u00e9 by mohly zp\u016fsobit dan\u00e9 bezpe\u010dnostn\u00ed riziko..<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u00danik v\u00fdstup<\/strong>(Output Escaping)\n<ul class=\"wp-block-list\">\n<li>Jedn\u00e1 se o proces, kter\u00fd zabezpe\u010duje data, kter\u00e1 se odes\u00edlaj\u00ed z aplikace do prohl\u00ed\u017ee\u010de, nebo jin\u00e9ho prost\u0159ed\u00ed. Data by m\u011bla b\u00fdt spr\u00e1vn\u011b zak\u00f3dov\u00e1na proto, aby nedo\u0161lo k interpretaci t\u011bchto dat jako spustiteln\u00e9ho k\u00f3d.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Jak \u00fatoky XSS(Cross Site Scripting) funguj\u00ed?<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/musilda.cz\/wp-content\/uploads\/2024\/01\/wordpress-napadeni-webu-xss.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/musilda.cz\/wp-content\/uploads\/2024\/01\/wordpress-napadeni-webu-xss-1024x683.png\" alt=\"\" class=\"wp-image-7656\" srcset=\"https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2024\/01\/wordpress-napadeni-webu-xss-1024x683.png 1024w, https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2024\/01\/wordpress-napadeni-webu-xss-300x200.png 300w, https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2024\/01\/wordpress-napadeni-webu-xss-768x512.png 768w, https:\/\/affinite.io\/cs\/wp-content\/uploads\/sites\/2\/2024\/01\/wordpress-napadeni-webu-xss.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>Existuje v\u00edce druh\u016f \u00fatok\u016f XSS, v tomto p\u0159\u00edpad\u011b se jednalo konkr\u00e9tn\u011b o &#8222;Stored XSS&#8220;, p\u0159i kter\u00e9 \u00fato\u010dn\u00edk mohl nahr\u00e1vat \u0161kodliv\u00fd skript p\u0159\u00edmo na server webu. <\/p>\n\n\n\n<p>Odhalen\u00ed XSS \u00fatoku m\u016f\u017ee b\u00fdt pro u\u017eivatele i provozovatele webov\u00fdch str\u00e1nek slo\u017eit\u00e9, proto bych doporu\u010doval pou\u017e\u00edt n\u011bkter\u00fd ze skenovac\u00edch n\u00e1stroj\u016f(nap\u0159\u00edklad WordFence).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Popul\u00e1rn\u00ed plugin pro dodr\u017eov\u00e1n\u00ed ochrany osobn\u00edch \u00fadaj\u016f s v\u00edce ne\u017e 800 000 instalacemi ned\u00e1vno opravil zranitelnost XSS, kter\u00e1 \u00fato\u010dn\u00edkovi dok\u00e1zala umo\u017enit nahr\u00e1v\u00e1n\u00ed \u0161kodliv\u00fdch skript\u016f pro spou\u0161t\u011bn\u00ed \u00fatok\u016f. O pluginu Complianz Jedn\u00e1 se o GDPR\/CCPA Cookie plugin vyu\u017e\u00edvan\u00fd pro spr\u00e1vu a pou\u017e\u00edv\u00e1n\u00ed cookies ve WordPressu, kter\u00fd je jedn\u00edm z nejpopul\u00e1rn\u011bj\u0161\u00edch cookie plugin\u016f. Pokud plugin Complianz pou\u017e\u00edv\u00e1te,<\/p>\n","protected":false},"author":1,"featured_media":7654,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,30],"tags":[],"class_list":["post-7653","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-novinky","category-wordpress"],"_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/7653"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=7653"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/7653\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/7654"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=7653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=7653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=7653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}