WordPress.org

Make WordPress Core

Changes between Initial Version and Version 4 of Ticket #47551


Ignore:
Timestamp:
06/17/2019 03:27:31 PM (16 months ago)
Author:
SergeyBiryukov
Comment:

Hi @pranayjain2511, welcome to WordPress Trac!

A DoS (Denial of Service) against xmlrpc.php is no different to one against the homepage or wp-login.php, preventing it is out of scope for WordPress. Caching and security plugins often attempt to cover this well, but ultimately it's a issue that needs to be handled at the server level.

See #35532, #36806, #24193, and other similar tickets.

Additionally, when writing this ticket you should have seen this notice:

Do not report potential security vulnerabilities here. See the Security FAQ and visit the WordPress HackerOne program.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #47551

    • Property Status changed from new to closed
    • Property Owner set to marybaum
    • Property Milestone changed from Awaiting Review to
    • Property Keywords needs-patch removed
    • Property Resolution changed from to duplicate
  • Ticket #47551 – Description

    initial v4  
    33Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The website https://blog.optimizely.com/ has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts.
    44In order to determine whether the xmlrpc.php file is enabled or not, using the Repeater tab in Burp, send the request below.
    5 
     5{{{
    66POST /xmlrpc.php HTTP/1.1
    77Host: blog.optimizely.com
     
    2121</params>
    2222</methodCall>
    23 
     23}}}
    2424Notice that a successful response is received showing that the xmlrpc.php file is enabled.
    2525Now, considering the domain https://blog.optimizely.com, the xmlrpc.php file discussed above could potentially be abused to cause a DDOS attack against a victim host. This is achieved by simply sending a request that looks like below.
     
    3636
    3737http request
     38{{{
    3839POST /xmlrpc.php HTTP/1.1
    3940Host: blog.optimizely.com
     
    5556</params>
    5657</methodCall>
    57 
     58}}}
    5859NOte : Please find attachments for POc In the following URL : https://drive.google.com/folderview?id=18ZR6OK8WH2FnFu2vviw5EvyvWu5qMbEn