WordPress.org
Get WordPress

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #47856


Ignore:
Timestamp:
08/09/2019 01:50:51 PM (7 years ago)
Author:
SergeyBiryukov
Comment:

Hi @victim01, welcome to WordPress Trac!

A DoS (Denial of Service) against xmlrpc.php is no different to one against the homepage or wp-login.php, preventing it is out of scope for WordPress. Caching and security plugins often attempt to cover this well, but ultimately it's a issue that needs to be handled at the server level.

See #35532, #36806, #24193, and other similar tickets.

See also #34336 for some details on system.multicall.

Additionally, when writing this ticket you should have seen this notice:

Do not report potential security vulnerabilities here. See the Security FAQ and visit the WordPress HackerOne program.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #47856

    • Property Status changed from assigned to closed
    • Property Component changed from General to XML-RPC
    • Property Resolution changed from to duplicate
    • Property Milestone changed from Awaiting Review to

  • Ticket #47856 – Description

    initial v1  
    11## I found that productivity should be turned off from the beginning or minimized possible harmful functions but it still exists in wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you check the data correctly, you will see its search hazard.
     2
    231.First with the payload I list the available methods and can be exploited like:
    34-wp.getUserBlogs
     
    67-system.multicall
    78-pingback.ping
    8 
     9{{{
    910POST /xmlrpc.php HTTP/1.1
    1011Host: wordpress.org
     
    2223<params> </params>
    2324</methodCall>
     25}}}
     26
    2427## Bruceforce attack
    2528The first place I can exploit is brute force login!
     29{{{
    2630POST /xmlrpc.php HTTP/1.1
    2731Host: wordpress.org
     
    4246</params>
    4347</methodCall>
    44 
     48}}}
    45493. Now I can easily log in with different methods by available methods, and I can write a code to attack it with the existing user and password. That will take a lot of time but will have results. It can happen faster when you read my third item !!!
    4650
     
    5054The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, WordPress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".
    5155However, an attacker can take advantage of it to walk around DDos attacks that affect the service.
     56{{{
    5257POST /xmlrpc.php HTTP/1.1
    5358Host: wordpress.org
     
    6772</value></param></params>
    6873</methodCall>
    69 
     74}}}
    7075##Multicall
    7176This increases the attack capability of methods, for example when attacking bruteforce
    7277The vulnerability can easily be abused by a simple script to try a significant number of username and password combinations with a relatively small number of HTTP requests. The following diagram shows a 4-fold increase in login attempts to HTTP requests, but this can trivially be expanded to a thousand logins.
    73 
     78{{{
    7479POST /xmlrpc.php HTTP/1.1
    7580Host: wordpress.org
     
    120125</params>
    121126</methodCall>
    122 
     127}}}
    123128What about combining it with some other way? For pingback methods, for example. It increases time and danger !!
    124129During testing, I was able to call the method wp.getUserBlogs 1,000 times in a single HTTP request (limited only by PHP memory issues). If a user creates a simple shell loop that executes one thousand times and runs a PHP script that crafts an HTTP request with one thousand method calls all requiring authentication, then that user would be able to try one million unique logins in a very short period of time.
    125130
    126 This makes brute forcing the login very fast and can run down a pretty large wordlist in a short period of time. Also note that the wp.getUserBlogs method isn’t the only RPC call requiring authentication. It’s possible to use any RPC method which requires authentication to attempt logins and brute force the Wordpress credentials.
     131This makes brute forcing the login very fast and can run down a pretty large wordlist in a short period of time. Also note that the wp.getUserBlogs method isn’t the only RPC call requiring authentication. It’s possible to use any RPC method which requires authentication to attempt logins and brute force the WordPress credentials.
    127132
    128133Damage from the above holes is the damage to the remains that need to be patched. You can remove it if not needed. Or minimize the methods that can cause injury as the above methods !!!