[wp-trac] [WordPress Trac] #34336: Disable XML-RPC system.multicall authenticated requests on the first auth failure
WordPress Trac
noreply at wordpress.org
Fri Oct 16 22:42:33 UTC 2015
#34336: Disable XML-RPC system.multicall authenticated requests on the first auth
failure
--------------------------+-------------------------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.4
Component: XML-RPC | Version:
Severity: normal | Keywords: has-patch needs-testing
Focuses: |
--------------------------+-------------------------------------
Recently [https://blog.sucuri.net/2015/10/brute-force-amplification-
attacks-against-wordpress-xmlrpc.html Securi published a post] about a
Brute Force Amplification Attack affecting WordPress by using
`system.multicall`.
WordPress should cause XML-RPC authentication to fail on all subsequent
`multicall` calls silently to prevent this attack being viable against
WordPress.
The attached patch implements this suggestion, and although it breaks the
XML-RPC spec I think we should enforce this.
Multiple user authentications are still possible when using
`system.multicall`, the only catch is that once one fails authentication,
all the further attempts will also fail.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34336>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list