array_unshift() PHP Warning when wp.getUsersBlogs is attacked (poorly)
|Reported by:||kitchin||Owned by:||SergeyBiryukov|
An error_log is getting cluttered with these due to a distributed XML-RPC attack:
PHP Warning: array_unshift() expects parameter 1 to be array, string given in /../wp-includes/class-wp-xmlrpc-server.php on line 518
I tracked it down to this attack, username without password:
<?xml_version] => "1.0" encoding="iso-8859-1"?> <methodCall><methodName>wp.getUsersBlogs</methodName><params> <param><value>someuser</value></param> <param><value></value></param> </params></methodCall>
What's happening: as in Ticket #16980 untyped empty values are ignored by IRX and the expected 2-element array becomes a singleton. Then the singleton becomes a string (line 455 of class-IXR.php), and hence the array_unshift() warning.
This all ends up at class-wp-xmlrpc-server.php Line 223:
$user = wp_authenticate( 'o', 'm')
using the  and  elements of the string someuser.
It would be easy to bail at the first line of function wp_getUsersBlogs if $args is not an array. We could issue the same warning as a login failure if we don't want to alert the script kiddies to their errors (that's the current behavior).
There are a few other functions with the same problem, if it is a problem. We could try to use the signature interface of IXR or just do it the easy way.
Change History (15)
18 months ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
- Owner markoheijnen deleted
- Keywords has-patch added; needs-patch removed
- Milestone changed from Future Release to 4.7
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from assigned to closed