WooThemes是一家知名的WordPress主题提供商,4月30日其服务器遭遇DDOS攻击,每秒有8GB的数据包发送到服务器,导致WooThemes网站一度无法访问。

woothemes hacked

WooThemes Shortcode Exploit

在网站遭遇攻击之前,有人爆出WooThemes Framework存在漏洞—Sshortcode Exploit,以下评论来自WooThemes开发者

The shortcode preview functionality that was in the WooFramework’s bundled shortcode generator (the neat popup used to add shortcodes to posts and pages with a point-and-click interface) was identified as a potential security exploit several days ago. After the first report was made, we began work on isolating and resolving this exploit. This resulted in the removal of this functionality from the WooFramework (the shortcode generator is still there… just the preview functionality was removed).

The potential exploit is such that the shortcode preview allowed users to generate shortcodes using the preview window’s file, without authenticating the user.

WooThemes为TinyMCE编辑器提供了Shortcode按钮,每个Shortcode都带有预览(preview)功能,漏洞在于预览地址使用iframe展示,iframe的地址可以直接访问,即使用户未登陆。

WooThemes Preview功能存在重大安全漏洞

WooThemes已经 发出声明要求其用户尽快升级Framework,最新版是5.3.12,preview功能被彻底移除。

Shortcode Preview功能被移除

由于这个漏洞已经公布在官方网站上,如果继续使用旧版本的WooThemes将非常危险,请使用WooThemes的用户尽快通过后台升级Framework。

官方报道

Framework shortcode exploit has been fixed

Recovery Update: Tuesday, 1 May

 

1条留言

评论功能已关闭