Opened 23 months ago
Last modified 18 months ago
#57363 new defect (bug)
WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding
Reported by: | edavis711 | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.1.1 |
Component: | Pings/Trackbacks | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Hi,
Is this issue going to be fixed? No one has really answered this in the forums.
Change History (8)
#4
@
23 months ago
Members of the security team discussed this overnight, they have decided to work on a fix in public given the issue is already well known.
A provisional patch does exist, but a number of complicated edge cases remain to be resolved, so it’ll take a bit of work to get it into a commit worthy state state that doesn’t break existing plugins.
As mentioned in the comment above and the original post disclosing the issue, exploiting this requires vulnerabilities in multiple systems outside of WordPress. The WordPress Security Team recommends website owners always use the DNS servers provided by their hosting provider.
#5
follow-up:
↓ 8
@
23 months ago
While this isn't a particularly serious issue security-wise, it's a serious issue PR-wise. I don't know how many millions of people are now receiving daily security notifications from iThemes or Google or whatever, but if there's going to be any significant delay, I'd say it's better to disable the pingback capability altogether if that's what it takes to fix it ASAP. It's a stupid function anyway, of use mainly to spammers.
#6
@
22 months ago
A provisional patch does exist, but a number of complicated edge cases remain to be resolved, so it’ll take a bit of work to get it into a commit worthy state state that doesn’t break existing plugins.
The work to update the Requests library (https://core.trac.wordpress.org/changeset/54997) further complicates this and will requires some updates to the original patch.
#8
in reply to:
↑ 5
@
18 months ago
Replying to TylerTork:
While this isn't a particularly serious issue security-wise, it's a serious issue PR-wise. I don't know how many millions of people are now receiving daily security notifications from iThemes or Google or whatever, but if there's going to be any significant delay, I'd say it's better to disable the pingback capability altogether if that's what it takes to fix it ASAP. It's a stupid function anyway, of use mainly to spammers.
Well, is it? I think the premise behind it, in groups that discuss a specific subjet is a good idea, but could be easily replaced with do follow links and curated RSS feeds, maybe a third party service that provides SEO insights on backlinks. But yeah...
The issue is rated as a medium severity issue. It seemingly requires a vulnerability chain (unless there is another vulnerability to chain together, it is not exploitable). I am sure that the WP developers are actively working on a fix. See https://nvd.nist.gov/vuln/detail/CVE-2022-3590. If you are nervous, the vulnerability is in WordPress XML-RPC and you can turn it off via a number of WordPress plugins.