WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/23/2015 04:45:10 AM (6 years ago)
Author:
dd32
Message:

XMLRPC: Prevent authentication from occuring after a failed authentication attmept in any single XML-RPC call.

This hardens WordPress against a common vector which uses multiple user identifiers in a single system.multicall call. In the event that authentication fails, all following authentication attempts in that call will also fail.

Props dd32, johnbillion.
Fixes #34336

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r35170 r35366  
    4545     */
    4646    public $error;
     47
     48    /**
     49     * Flags that the user authentication has failed in this instance of wp_xmlrpc_server.
     50     *
     51     * @access protected
     52     * @var bool
     53     */
     54    protected $auth_failed = false;
    4755
    4856    /**
     
    252260        }
    253261
    254         $user = wp_authenticate($username, $password);
    255 
    256         if (is_wp_error($user)) {
     262        if ( $this->auth_failed ) {
     263            $user = new WP_Error( 'login_prevented' );
     264        } else {
     265            $user = wp_authenticate( $username, $password );
     266        }
     267
     268        if ( is_wp_error( $user ) ) {
    257269            $this->error = new IXR_Error( 403, __( 'Incorrect username or password.' ) );
     270
     271            // Flag that authentication has failed once on this wp_xmlrpc_server instance
     272            $this->auth_failed = true;
    258273
    259274            /**
Note: See TracChangeset for help on using the changeset viewer.