wordpress WPImageEditorImagick 指令注入漏洞的解决方法

2016-8-8 liyangweb.com 李杨 PHP

昨天在阿里云上装了一个wordpress,今天就收到了阿里云的短信提醒,“【阿里云】尊敬的用户:您的服务器xxx.xxx.xx.xx存在wordpress WP_Image_Editor_Imagick 指令注入漏洞,已为您准备补丁可一键修复漏洞,为避免被黑客入侵,建议您登录云盾-服务器安全(安骑士)控制台,进行查看和处理,同时建议您在控制台使用安全巡检功能对服务器进行全面检查。

感觉阿里云还挺贴心的,于是打开安其实开始修复,可没想到确让我购买专业版,咱干技术这么多年,可不能花这冤枉钱,于是开始了我自己的修复之路。

阿里云提供了出问题的代码的位置:/wordpress/wp-includes/media.php,然后搜索一下WP_Image_Editor_Imagick,果然找到了,在_wp_image_editor_choose函数内部,2898行(版本不一样,行数可能会不一样)有这样一句

$implementations = apply_filters( 'wp_image_editors', array( 'WP_Image_Editor_GD', 'WP_Image_Editor_Imagick' ) );

上面有一行注释@param array $image_editors List of available image editors. Defaults are 'WP_Image_Editor_Imagick', 'WP_Image_Editor_GD'.是说验证图片相关的内容,具体怎么改呢,阿里云提供了一个漏洞详情的说明

wordpress WP_Image_Editor_Imagick 指令注入漏洞
6253549
/usr/share/nginx/html/wordpress/wp-includes/media.php
云盾自研
2016-08-08 08:45:13
该修复方案为临时修复方案,可能存在兼容性风险,为了防止WP_Image_Editor_Imagick扩展的指令注入风险,将wordpress的默认图片处理库优先顺序改为GD优先,用户可在/wp-includes/media.php的_wp_image_editor_choose()函数中看到被修改的部分


,把apply_filters函数中的第二个参数的数组换一下位置,改成array('WP_Image_Editor_GD', 'WP_Image_Editor_Imagick'),然后再验证一下。OK了!

修改后的函数如下:

/**
  * Tests which editors are capable of supporting the request.
  *
  * @ignore
  * @since 3.5.0
  *
  * @param array $args Optional. Array of arguments for choosing a capable editor. Default empty array.
  * @return string|false Class name for the first editor that claims to support the request. False if no
  *                     editor claims to support the request.
  */
 function _wp_image_editor_choose( $args = array() ) {
         require_once ABSPATH . WPINC . '/class-wp-image-editor.php';
         require_once ABSPATH . WPINC . '/class-wp-image-editor-gd.php';
         require_once ABSPATH . WPINC . '/class-wp-image-editor-imagick.php';
 
         /**
          * Filter the list of image editing library classes.
          *
          * @since 3.5.0
          *
          * @param array $image_editors List of available image editors. Defaults are
          *                             'WP_Image_Editor_Imagick', 'WP_Image_Editor_GD'.
          */
         $implementations = apply_filters( 'wp_image_editors', array( 'WP_Image_Editor_GD', 'WP_Image_Editor_Imagick' ) );
         //$implementations = apply_filters( 'wp_image_editors', array( 'WP_Image_Editor_Imagick', 'WP_Image_Editor_GD' ) );
 
         foreach ( $implementations as $implementation ) {
                 if ( ! call_user_func( array( $implementation, 'test' ), $args ) )
                         continue;
 
                 if ( isset( $args['mime_type'] ) &&
                         ! call_user_func(
                                 array( $implementation, 'supports_mime_type' ),
                                 $args['mime_type'] ) ) {
                         continue;
                 }
 
                 if ( isset( $args['methods'] ) &&
                          array_diff( $args['methods'], get_class_methods( $implementation ) ) ) {
                         continue;
                 }
 
                 return $implementation;
         }
 
         return false;
 }


标签: wordpress

发表评论:

Powered by emlog 冀ICP备13011830号-1