Pingback Denial of Service possibility
|Reported by:||foobarwp12||Owned by:|
|Cc:||josephscott, bob.ellison@…, info@…, 24-7@…, dh-shredder, tom@…, soficgr@…, ian_dunn@…, scribu, kovshenin|
The pingback feature of Wordpress (2.1.3) allows DDOS attacks either against the server hosting wordpress or against a third one.
When a client sends a pingback, wordpress calls "wp_remote_fopen" to download the referring URL. On servers having "allow_url_fopen" activated, this function will try to download the /whole/ URL without any timeout or size limit. (except those set in php.ini, which will usually lead to a ~8MB download)
So if you post ~100 xmlrpc requests referring to a /huge/ file, every server meeting those prerequisites should effectively be down (for a while). You should at least be able to generate lots of traffic.
On the other hand, if you google for blogs and post the same URL to each of 'em, the target server should be DDOSed.
I suggest allowing pingbacks only if the connection was opened from the host mentioned in the source URL.
I'll attach a demo exploit (I didn't test it for the entered URL; it worked for a local installation.)
Change History (32)
- Milestone changed from 2.0.eventually to 2.2
- Version set to 2.1.3
- Milestone changed from 2.2 to 2.3
- Owner changed from anonymous to rob1n
- Owner set to pishmishy
- Status changed from new to assigned
- Summary changed from Pingback DDOS possibility to Pingback Denial of Service possibility
- Keywords has-patch removed
- Milestone 2.9 deleted
- Priority changed from high to low
- Resolution set to wontfix
- Status changed from assigned to closed
- Cc bob.ellison@… added
- Keywords needs-testing removed
- Resolution wontfix deleted
- Severity changed from normal to minor
- Status changed from closed to reopened
- Version 2.1.3 deleted
- Keywords needs-patch added; 2nd-opinion removed
- Severity changed from minor to normal