[wp-trac] [WordPress Trac] #4137: Pingback DDOS possibility
WordPress Trac
wp-trac at lists.automattic.com
Wed Apr 11 19:41:51 GMT 2007
#4137: Pingback DDOS possibility
------------------------+---------------------------------------------------
Reporter: foobarwp12 | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.0.eventually
Component: Security | Version:
Severity: normal | Keywords: xmlrpc ddos possibility
------------------------+---------------------------------------------------
The pingback feature of Wordpress (2.1.3) allows DDOS attacks either
against the server hosting wordpress or against a third one.
When a client sends a pingback, wordpress calls "wp_remote_fopen" to
download the referring URL. On servers having "allow_url_fopen" activated,
this function will try to download the /whole/ URL without any timeout or
size limit. (except those set in php.ini, which will usually lead to a
~8MB download)
So if you post ~100 xmlrpc requests referring to a /huge/ file, every
server meeting those prerequisites should effectively be down (for a
while). You should at least be able to generate lots of traffic.
On the other hand, if you google for blogs and post the same URL to each
of 'em, the target server should be DDOSed.
I suggest allowing pingbacks only if the connection was opened from the
host mentioned in the source URL.
I'll attach a demo exploit (I didn't test it for the entered URL; it
worked for a local installation.)
--
Ticket URL: <http://trac.wordpress.org/ticket/4137>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list