[wp-trac] [WordPress Trac] #29750: array_unshift() PHP Warning when wp.getUsersBlogs is attacked (poorly)
WordPress Trac
noreply at wordpress.org
Wed Sep 24 22:02:53 UTC 2014
#29750: array_unshift() PHP Warning when wp.getUsersBlogs is attacked (poorly)
--------------------------+-----------------------------
Reporter: kitchin | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version: 4.0
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
An error_log is getting cluttered with these due to a distributed XML-RPC
attack:
{{{
PHP Warning: array_unshift() expects parameter 1 to be array, string given
in /../wp-includes/class-wp-xmlrpc-server.php on line 518
}}}
I tracked it down to this attack, username without password:
{{{
<?xml_version] => "1.0" encoding="iso-8859-1"?>
<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value>someuser</value></param>
<param><value></value></param>
</params></methodCall>
}}}
What's happening: as in Ticket #16980 untyped empty values are ignored by
IRX and the expected 2-element array becomes a singleton. Then the
singleton becomes a string (line 455 of class-IXR.php), and hence the
array_unshift() warning.
This all ends up at class-wp-xmlrpc-server.php Line 223:
{{{
$user = wp_authenticate( 'o', 'm')
}}}
using the `[1]` and `[2]` elements of the string `someuser`.
It would be easy to bail at the first line of function wp_getUsersBlogs if
$args is not an array. We could issue the same warning as a login failure
if we don't want to alert the script kiddies to their errors (that's the
current behavior).
There are a few other functions with the same problem, if it is a problem.
We could try to use the signature interface of IXR or just do it the easy
way.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29750>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list