Recently, Israeli security researcher Barak Tawily show that WordPress exists DoS vulnerabilities, CVE number CVE-2018-6389, that effect to almost WordPress version released in the past nine years, including the latest version 4.9.2. The author gives the poc video and the repairs script, which he initiates in a single request in a poc, causes the server to perform 181 I/O operations and provide the contents of the file in the response, but the WordPress team declined to acknowledge the vulnerability.
A CVE-2018-6389 vulnerability is an application-level DoS attack problem that affects WordPress CMS, even without a lot of malicious traffic can be exploited by attackers, expert analysis.
“In this article I am going to explain how Denial of Service can easily be caused to almost any WordPress website online, and how you can patch your WordPress website in order to avoid this vulnerability being exploited.”
The load-scripts.php file was designed for WordPress administrators to allow multiple JavaScript files to be loaded into one request, but researchers noticed that this function could be called before logging in to allow anyone to call it.
The response provided by the WordPress CMS depends on the plugins and modules installed. You can load modules and plug-in names (separated by commas) by passing the “load” parameter to the load-scripts.php file. ‘load-scripts.php’ looks for the JavaScript file contained in the URL, appends it to a file, and sends it back to the user’s web browser.
The researchers emphasize that the wp_scripts list is hard-coded and defined in the script-loader.php file, so he decides to send a request, in response, to get all JS modules for the WordPress instance.
“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user.”
“I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.”
Tawily has developed (PoC) python scripts that he uses to make a large number of concurrent requests to the same URL to saturate server resources. An attacker with good bandwidth or a limited number of robots could trigger the CVE-2018-6389 vulnerability to attack popular WordPress sites. The attack PoC video is as follows.
Tawily reported the DoS vulnerability to the WordPress team via the HackerOne, but the company declined to acknowledge the vulnerability. Tawily wrote.
“After going back and forth about it a few times and my trying to explain and provide a PoC, they refused to acknowledge it and claimed that:
“This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control.“
The expert has implemented the mitigation against this vulnerability in a forked version of WordPress, he has also released a bash script that addresses the issue.
Reference: baraktawily.blogspot.in
