[wordpress插件] Comment Form CSRF Protection评论表CSRF保护

wordpress 插件 文章 2020-03-28 13:20 426 0 全屏看文

AI助手支持GPT4.0

评分
100
描述

WordPress has an 9 year old unfixed security vulnerability that it does not properly validate incoming comments.

WordPress具有9年未修复的安全漏洞,它无法正确验证传入的注释。

An attacker can trick both anonymous and logged in users to post comments on a victim site without them realizing, while using their own credentials.

攻击者可以欺骗匿名用户和登录用户,使他们在使用自己的凭据的情况下在受害者站点上发表评论而没有意识到。

See this issue for more information: https://core.trac.wordpress.org/ticket/10931

有关更多信息,请参见此问题:https://core.trac.wordpress.org/ticket/10931

This is a tiny (fewer than 40 effect lines of code) module that adds a secure token to the comment form and validate it before accepting any comment, thus making your comment forms secure as they should\'ve been for all these

这是一个很小的模块(少于40条效果代码),该模块在评论表单中添加了一个安全令牌,并在接受任何评论之前对其进行了验证,从而使您的评论表单具有安全性,因为所有这些

years!

年!

It provides no UI – just install it and you are all set!

它不提供用户界面-只需安装就可以了!

    1. This plugins adds a secret cryptographically-secure token to the comment form.

    2. 此插件在注释表单中添加了密码安全的秘密令牌。

      This is a unique value and is computationally impractical to guess it.

    3. 这是一个唯一的值,猜测它在计算上不切实际。

    4. Upon comment subission, the comment is rejected if the secret tokens are not present or computationally invalid.
    5. 在发表评论时,如果秘密令牌不存在或计算无效,则拒绝发表评论。

安装步骤

    1. Upload the plugin files to the /wp-content/plugins/ directory, or install the plugin through the WordPress plugins screen directly.
    2. 将插件文件上传到 / wp-content / plugins / 目录,或直接通过WordPress插件屏幕安装插件。

    3. Activate the plugin through the ‘Plugins’ screen in WordPress.
    4. 通过WordPress中的“插件”屏幕激活插件。

    5. You are all set!

    6. 你们都准备好了!

      There is nothing to configure.

      没有什么可配置的。

      Your comment forms will contain the hidden token fields that will be properly validated upon submission.

    7. 您的评论表单将包含隐藏的令牌字段,提交后将对其进行正确验证。

下载地址
https://downloads.wordpress.org/plugin/comment-form-csrf-protection.1.1.zip
-EOF-

AI助手支持GPT4.0