2 weeks ago
9 Views

Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites

wordpress-dos-attack-hacking

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform which could allow anyone to take down most WordPress websites even with just one machine—without hitting using a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched as well as also affects almost all versions of WordPress released in last nine years, including the latest stable Discharge of WordPress (edition 4.9.2).

Discovered by Israeli security researcher Barak Tawily, the vulnerability resides inside way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.

For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance as well as also load page faster by combining (on the server end) multiple JavaScript files into just one request.

However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually generating the feature accessible to anyone.

wordpress dos attack

Depending upon the plugins as well as also modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the “load” parameter, separated by a comma, like inside following URL:

https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

While loading the website, the ‘load-scripts.php’ (mentioned inside head of the page) tries to find each JavaScript file name given inside URL, append their content into just one file as well as also then send back the item to the user’s web browser.

How WordPress DoS Attack Works

wordpress-dos-attack-tool

According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the above URL, generating the targeted website slightly slow by consuming high CPU as well as also server memory.

“There will be a well-defined list ($wp_scripts), which can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value coming from the user,” Tawily says.

Although just one request could not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible as well as also bring the item down.

The Hacker News has verified the authenticity of the DoS exploit which successfully took down one of our demo WordPress websites running on a medium-sized VPS server.

“the item will be time to mention again which load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn’t respond at all any more, or returned 502/503/504 status code errors,” Tawily says.

However, attack coming from just one machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power as well as also memory.

wordpress-hacking

yet which doesn’t mean the flaw will be not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets as well as also bandwidth to achieve the same goal—to take down a site.

So attackers with more bandwidth or a few bots can exploit This particular flaw to target big as well as also well-liked WordPress websites as well.

No Patch Available  – Mitigation Guide

Along with the full disclosure, Tawily has also provided a video demonstration for the WordPress Denial of Service attack. You can watch the video to see the attack in action.

Knowing which DoS vulnerabilities are out-of-scope coming from the WordPress bug bounty program, Tawily responsibly reported This particular DoS vulnerability to the WordPress team through HackerOne platform.

However, the company refused to acknowledge the issue, saying which This particular kind of bug “should truly get mitigated at the server end or network level rather than the application level,” which will be outside of WordPress’s control.

The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers as well as also generating them unavailable for their legitimate users.

For websites which can’t afford services offering DDoS protection against application-layer attacks, the researcher has provided a forked edition of WordPress, which includes mitigation against This particular vulnerability.

However, I personally wouldn’t recommend users to install modified CMS, even if the item will be coming from a trusted source additional than the original author.

Besides This particular, the researcher has also released a simple bash script which fixes the issue, in case you have already installed WordPress.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

nine − 2 =