{"id":4886,"date":"2015-10-05T14:32:32","date_gmt":"2015-10-05T12:32:32","guid":{"rendered":"https:\/\/ihs.com.tr\/blog\/?p=4886"},"modified":"2019-01-04T09:31:42","modified_gmt":"2019-01-04T07:31:42","slug":"wordpressin-jetpack-plugininde-depolanmis-xss-acigi-tespit-edildi","status":"publish","type":"post","link":"https:\/\/www.ihs.com.tr\/blog\/wordpressin-jetpack-plugininde-depolanmis-xss-acigi-tespit-edildi\/","title":{"rendered":"WordPress\u2019in Jetpack Plugininde Depolanm\u0131\u015f XSS A\u00e7\u0131\u011f\u0131 Tespit Edildi"},"content":{"rendered":"

Sucuri\u2019deki ara\u015ft\u0131rmac\u0131lar WordPress<\/strong> web sitelerinde s\u0131k kullan\u0131lan Jetpack<\/strong> plugininde kritik bir siteler aras\u0131 komut \u00e7al\u0131\u015ft\u0131rma (XSS<\/strong>) a\u00e7\u0131\u011f\u0131 tespit etti.<\/span><\/p>\n

Jetpack plugini WordPress site operat\u00f6rleri i\u00e7in iste\u011fe g\u00f6re uyarlama, trafik, mobil, i\u00e7erik ve performans ara\u00e7lar\u0131 gibi bir dizi \u00f6zelli\u011fi kullan\u0131ma a\u00e7\u0131yor. Plugin \u015fu ana kadar bir milyondan fazla kez indirilmi\u015f.<\/span><\/p>\n

Depolanm\u0131\u015f XSS a\u00e7\u0131\u011f\u0131 bu a\u00e7\u0131ktan etkilenmi\u015f t\u00fcm WordPress web sitelerini tamamen ele ge\u00e7irilme riskiyle kar\u015f\u0131 kar\u015f\u0131ya b\u0131rak\u0131yor. Sorun ge\u00e7en hafta i\u00e7erisinde Jetpack 3.7.1 ve 3.7.2\u2019nin \u00e7\u0131kart\u0131lmas\u0131yla giderildi ama hala Jetpack 3.7 veya daha alt s\u00fcr\u00fcmleri kullananlar hala risk alt\u0131nda.<\/span><\/p>\n

\"jetpack<\/a><\/p>\n

Ge\u00e7en Per\u015fembe yay\u0131nlanan Sucuri haberinde<\/a> sald\u0131rganlar \u00f6zel olarak olu\u015fturulmu\u015f k\u00f6t\u00fc ama\u00e7l\u0131 bir e-posta adresini a\u00e7\u0131kl\u0131 WordPress web sitelerinin ileti\u015fim formu sayfalar\u0131na girerek bu a\u00e7\u0131\u011f\u0131 istismar edebiliyor. Haberde Jetpack\u2019in ileti\u015fim formu mod\u00fcl\u00fcn\u00fcn varsay\u0131lan olarak aktive oldu\u011fu ifade ediliyor E-posta \u2018Geri Bildirim\u2019 k\u0131sm\u0131na girilmeden \u00f6nce yeterince temizlenmedi\u011fi i\u00e7in sald\u0131rganlar\u0131n bu a\u00e7\u0131\u011f\u0131 ve biraz da web taray\u0131c\u0131s\u0131 hackerl\u0131\u011f\u0131n\u0131 kullan\u0131p y\u00f6netici taraf\u0131nda JavaScript kodlar\u0131 \u00e7al\u0131\u015ft\u0131rabilece\u011fi ve b\u00f6ylece (hacklenmi\u015f sitenin gelecekte de istismar edilebilmesi i\u00e7in gizli bir izinsiz eri\u015fim ge\u00e7i\u015fi a\u00e7arak, SEO spamleri yerle\u015ftirerek vs.) sitede istediklerini yapabilecekleri\u201d s\u00f6yleniyor.<\/span><\/p>\n

Cuma g\u00fcn\u00fc yap\u0131lan e-posta yaz\u0131\u015fmas\u0131nda Sucuri a\u00e7\u0131k ara\u015ft\u0131rmac\u0131s\u0131 Marc-Alexandre Montpas SCMagazine.com\u2019a Sucuri\u2019nin an itibar\u0131yla herhangi bir depolanm\u0131\u015f XSS a\u00e7\u0131\u011f\u0131 istismar\u0131na rastlamad\u0131\u011f\u0131n\u0131 s\u00f6yledi. Ancak, yeni s\u00fcr\u00fcmler piyasaya \u00e7\u0131kt\u0131ktan sonra sald\u0131rganlar\u0131n istismar denemelerine ba\u015flayabilece\u011fini de s\u00f6zlerine ekledi.<\/span><\/p>\n

Montpas\u2019a g\u00f6re a\u00e7\u0131\u011f\u0131n istismar edilmesi \u00e7ok kolay.<\/span><\/p>\n

\u201cBu bir depolanm\u0131\u015f XSS a\u00e7\u0131\u011f\u0131 oldu\u011fu i\u00e7in sald\u0131rganlar\u0131n sald\u0131r\u0131 y\u00fck\u00fcn\u00fc sessizce tetiklemek i\u00e7in y\u00f6neticinin pluginin Geri Bildirim k\u0131sm\u0131na girmesini beklemeleri gerekiyor. Bunun ger\u00e7ekle\u015fmesi durumunda k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n sitenin kontrol\u00fcn\u00fc ele ge\u00e7irmesini hi\u00e7bir \u015fey durduramaz ve bu da olduk\u00e7a tehlikeli bir durum,\u201d diyor Montpas.<\/span><\/p>\n

Montpas Jetpack 3.7.1\u2019de daha az tehlikeli bir bilgi if\u015fas\u0131 a\u00e7\u0131\u011f\u0131n\u0131n yamand\u0131\u011f\u0131n\u0131, bu y\u00fczden kullan\u0131c\u0131lar\u0131n ileti\u015fim formu mod\u00fcl\u00fcn\u00fc kullanmasalar da bir an \u00f6nce bu s\u00fcr\u00fcme ge\u00e7meleri gerekti\u011fini s\u00f6yl\u00fcyor.<\/span><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Sucuri\u2019deki ara\u015ft\u0131rmac\u0131lar WordPress web sitelerinde s\u0131k kullan\u0131lan Jetpack plugininde kritik bir siteler aras\u0131 komut \u00e7al\u0131\u015ft\u0131rma (XSS) a\u00e7\u0131\u011f\u0131 tespit etti. Jetpack plugini WordPress…<\/p>\n","protected":false},"author":3,"featured_media":4888,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,397],"tags":[],"class_list":["post-4886","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-haberler","category-wordpress"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=4886"}],"version-history":[{"count":3,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4886\/revisions"}],"predecessor-version":[{"id":4892,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4886\/revisions\/4892"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media\/4888"}],"wp:attachment":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=4886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=4886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=4886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}