ãããŸã§ãWordPress ã«ã¢ããããŒããã€ã³ã¹ããŒã«ããå Žåãäž»ãªã»ãã¥ãªãã£èŠçŽ 㯠WordPress ã€ã³ãã©ã¹ãã©ã¯ãã£ãšãµãŒããŒã«å¯Ÿããä¿¡é Œã§ãã (ããŠã³ããŒãåŸããœãŒã¹ãæ€èšŒããã«ããã·ã¥ããã§ãã¯ãããŸãã)ã ãããžã§ã¯ãã®ãµãŒããŒã䟵害ãããå Žåãæ»æè ã¯ã¢ããããŒããåœè£ ããèªåã¢ããããŒã ã€ã³ã¹ããŒã« ã·ã¹ãã ã䜿çšãã WordPress ããŒã¹ã®ãµã€ãéã§æªæã®ããã³ãŒããé åžããããšãã§ããŸãã 以åã«äœ¿çšãããŠããä¿¡é Œé ä¿¡ã¢ãã«ã«ããã°ããã®ãããªçœ®æã¯ãŠãŒã¶ãŒåŽã§ã¯æ°ã¥ãããªãã§ãããã
ãšããäºå®ãèæ
®ãããšã
ããžã¿ã«çœ²åã®å ŽåãæŽæ°é åžãµãŒããŒãå¶åŸ¡ããŠããŠãŒã¶ãŒ ã·ã¹ãã ã䟵害ãããããšã¯ãããŸãããæ»æãå®è¡ããã«ã¯ãæŽæ°ã«çœ²åããããã«å¥éä¿åãããç§å¯ããŒãååŸããå¿ èŠãããããã§ãã
ããžã¿ã«çœ²åã䜿çšããŠæŽæ°å
ããã§ãã¯ããå®è£
ã¯ãå¿
èŠãªæå·åã¢ã«ãŽãªãºã ã®ãµããŒããæšæº PHP ããã±ãŒãžã«æ¯èŒçæè¿ç»å Žãããšããäºå®ã«ãã£ãŠåŠšããããŸããã ã©ã€ãã©ãªã®çµ±åã«ãããå¿
èŠãªæå·ã¢ã«ãŽãªãºã ãç»å Ž
解決çã¯
ããžã¿ã«çœ²åã®çæã«ã¯ã¢ã«ãŽãªãºã ã䜿çšãããŸã
WordPress 5.2 ãªãªãŒã¹ã§ã¯ãããžã¿ã«çœ²åæ€èšŒã¯çŸåšãäž»èŠãªãã©ãããã©ãŒã ã®ã¢ããããŒãã®ã¿ã察象ãšããŠãããããã©ã«ãã§ã¯ã¢ããããŒãããããã¯ããŸããããåé¡ã«ã€ããŠãŠãŒã¶ãŒã«éç¥ããã ãã§ãã å®å
šãªãã§ãã¯ãšãã€ãã¹ãå¿
èŠãªãããããã©ã«ãã®ãããã¯ãããã«æå¹ã«ããªãããšã決å®ãããŸããã
WordPress 5.2 ã§ã®ããžã¿ã«çœ²åã®ãµããŒãã«å ããŠã次ã®å€æŽç¹ã«æ³šæããŠãã ããã
- äžè¬çãªæ§æåé¡ããããã°ããããã® XNUMX ã€ã®æ°ããããŒãžãããµã€ãã®å¥å šæ§ãã»ã¯ã·ã§ã³ã«è¿œå ãããŸããããŸããéçºè ããµã€ã管çè ã«ãããã°æ å ±ãæ®ãããã®ãã©ãŒã ãæäŸãããŸããã
- ãæ»ã®çœãç»é¢ãã®å®è£ ãè¿œå ããŸãããèŽåœçãªåé¡ãçºçããå Žåã«è¡šç€ºãããç¹å¥ãªã¯ã©ãã·ã¥å埩ã¢ãŒãã«åãæ¿ããããšã§ã管çè ããã©ã°ã€ã³ãããŒãã«é¢é£ããåé¡ãç¬èªã«ä¿®æ£ã§ããããã«ãªããŸãã
- ãã©ã°ã€ã³ã®äºææ§ããã§ãã¯ããã·ã¹ãã ãå®è£ ãããŠããã䜿çšãããŠãã PHP ã®ããŒãžã§ã³ãèæ ®ããŠãçŸåšã®æ§æã§ãã©ã°ã€ã³ã䜿çšã§ãããã©ãããèªåçã«ãã§ãã¯ããŸãã ãã©ã°ã€ã³ãåäœããããã«æ°ããããŒãžã§ã³ã® PHP ãå¿ èŠãªå Žåãã·ã¹ãã ã¯ãã®ãã©ã°ã€ã³ã®çµã¿èŸŒã¿ãèªåçã«ãããã¯ããŸãã
- ã䜿çšã㊠JavaScript ã³ãŒãã§ã¢ãžã¥ãŒã«ãæå¹ã«ããããã®ãµããŒããè¿œå ãããŸããã
ãŠã§ããã㯠Оããã« ; - ãã©ã€ãã·ãŒ ããªã·ãŒ ããŒãžã®ã³ã³ãã³ããã«ã¹ã¿ãã€ãºã§ããæ°ããprivacy-policy.php ãã³ãã¬ãŒããè¿œå ããŸããã
- ããŒãã®å Žåãwp_body_open ãã㯠ãã³ãã©ãŒãè¿œå ãããbody ã¿ã°ã®çŽåŸã«ã³ãŒããæ¿å ¥ã§ããããã«ãªããŸããã
- PHP ã®æå°ããŒãžã§ã³ã®èŠä»¶ã 5.6.20 ã«åŒãäžãããããã©ã°ã€ã³ãšããŒãã§åå空éãšå¿åé¢æ°ã䜿çšã§ããããã«ãªããŸããã
- 13 åã®æ°ããã¢ã€ã³ã³ãè¿œå ãããŸããã
ããã«ã次ã®ããã«èšåããããšãã§ããŸã
ãã®åé¡ã¯ãµãŒããŒã«ãã¡ã€ã«ãã¢ããããŒãããã³ãŒãã«çŸããæå¹ãªãã¡ã€ã« ã¿ã€ãã®ãã§ãã¯ããã€ãã¹ã㊠PHP ã¹ã¯ãªããããµãŒããŒã«ã¢ããããŒãããWeb çµç±ã§çŽæ¥å®è¡ã§ããããã«ãªããŸãã èå³æ·±ãããšã«ãæšå¹Žãã©ã€ã ãã£ãã (CVE-2018-12426) ã§åæ§ã®è匱æ§ããã§ã«ç¹å®ãããŠãããContent-type ãã£ãŒã«ãã«ç°ãªãã³ã³ãã³ã ã¿ã€ããæå®ããŠãç»åãè£ ã£ãŠ PHP ã³ãŒããèªã¿èŸŒãããšãã§ããŸããã ä¿®æ£ã®äžç°ãšããŠããã¯ã€ããªã¹ããš MIME ã³ã³ãã³ã ã¿ã€ãã«å¯Ÿããè¿œå ã®ãã§ãã¯ãè¿œå ãããŸããã çµå±ã®ãšããããããã®ãã§ãã¯ã¯æ£ããå®è£ ãããŠããããç°¡åã«åé¿ãããŠããŸãå¯èœæ§ããããŸãã
ç¹ã«ãæ¡åŒµåã.phpããæã€ãã¡ã€ã«ã®çŽæ¥ã¢ããããŒãã¯çŠæ¢ãããŠããŸãããå€ãã®ãµãŒããŒã® PHP ã€ã³ã¿ãŒããªã¿ã«é¢é£ä»ããããŠããæ¡åŒµåã.phtmlãã¯ãã©ãã¯ãªã¹ãã«è¿œå ãããŸããã§ããã ãã¯ã€ããªã¹ãã§ã¯ç»åã®ã¢ããããŒãã®ã¿ãèš±å¯ãããŠããŸãããã.gif.phtmlããªã©ã®äºéæ¡åŒµåãæå®ããããšã§ããããã€ãã¹ã§ããŸãã ãã¡ã€ã«ã®å é 㧠MIME ã¿ã€ãã®ãã§ãã¯ããã€ãã¹ããã«ã¯ãPHP ã³ãŒãã§ã¿ã°ãéãåã«ããGIF89aããšããè¡ãæå®ããã ãã§ååã§ãã
åºæïŒ ãªãŒãã³ããã.ru