Make WordPress Core

Opened 23 months ago

Last modified 18 months ago

#57363 new defect (bug)

WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding

Reported by: edavis711's profile edavis711 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.1.1
Component: Pings/Trackbacks Keywords: needs-patch
Focuses: Cc:

Description

Hi,

Is this issue going to be fixed? No one has really answered this in the forums.

Change History (8)

#1 @afragen
23 months ago

  • Component changed from Upgrade/Install to XML-RPC

#2 @afragen
23 months ago

  • Component changed from XML-RPC to Pings/Trackbacks

#3 @samiamnot
23 months ago

The issue is rated as a medium severity issue. It seemingly requires a vulnerability chain (unless there is another vulnerability to chain together, it is not exploitable). I am sure that the WP developers are actively working on a fix. See https://nvd.nist.gov/vuln/detail/CVE-2022-3590. If you are nervous, the vulnerability is in WordPress XML-RPC and you can turn it off via a number of WordPress plugins.

#4 @peterwilsoncc
23 months ago

Members of the security team discussed this overnight, they have decided to work on a fix in public given the issue is already well known.

A provisional patch does exist, but a number of complicated edge cases remain to be resolved, so it’ll take a bit of work to get it into a commit worthy state state that doesn’t break existing plugins.

As mentioned in the comment above and the original post disclosing the issue, exploiting this requires vulnerabilities in multiple systems outside of WordPress. The WordPress Security Team recommends website owners always use the DNS servers provided by their hosting provider.

#5 follow-up: @TylerTork
23 months ago

While this isn't a particularly serious issue security-wise, it's a serious issue PR-wise. I don't know how many millions of people are now receiving daily security notifications from iThemes or Google or whatever, but if there's going to be any significant delay, I'd say it's better to disable the pingback capability altogether if that's what it takes to fix it ASAP. It's a stupid function anyway, of use mainly to spammers.

#6 @paulkevan
22 months ago

A provisional patch does exist, but a number of complicated edge cases remain to be resolved, so it’ll take a bit of work to get it into a commit worthy state state that doesn’t break existing plugins.

The work to update the Requests library (https://core.trac.wordpress.org/changeset/54997) further complicates this and will requires some updates to the original patch.

#7 @samiamnot
18 months ago

#58245 was marked as a duplicate.

#8 in reply to: ↑ 5 @jfaguilarsaatchi
18 months ago

Replying to TylerTork:

While this isn't a particularly serious issue security-wise, it's a serious issue PR-wise. I don't know how many millions of people are now receiving daily security notifications from iThemes or Google or whatever, but if there's going to be any significant delay, I'd say it's better to disable the pingback capability altogether if that's what it takes to fix it ASAP. It's a stupid function anyway, of use mainly to spammers.

Well, is it? I think the premise behind it, in groups that discuss a specific subjet is a good idea, but could be easily replaced with do follow links and curated RSS feeds, maybe a third party service that provides SEO insights on backlinks. But yeah...

Note: See TracTickets for help on using tickets.