Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#41808 closed defect (bug) (invalid)

Attacks against wp.getUsersBlogs with no user name but with a password

Reported by: krader's profile krader Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.8
Component: Security Keywords:
Focuses: rest-api Cc:

Description

In the past few hours I've seen several attacks that POST to /xmlrpc.php with content like this resulting in a 200 HTTP response:

POST /xmlrpc.php HTTP/1.1
Content-Type: application/xml
Host: skepticism.us
Content-Length: 173
Connection: Close

<?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value></value></param><param><value>123456789</value></param></params></methodCall>

That method is not correctly validating its input.

Change History (1)

#1 @joemcgill
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

@krader The 200 response contains the results of the WP_Error you would expect.

While this doesn't seem to be an actual security issue, if you think something *is* security related it should be reported responsibly via HackerOne. Disclosing any security issue publicly is dangerous for all WordPress users.

Note: See TracTickets for help on using tickets.