Connect with us
X
Categories:

Technology

WordPress Core feature’s six-year-old blind SSRF vulnerability may allow DDoS assaults

Published

on

WordPress Core feature's six-year-old blind SSRF vulnerability may allow DDoS assaults
Share this post:

Issue present in pingback requests feature.

Researchers have gone public with a six-year-old blind server-side request forgery (SSRF) vulnerability in a WordPress Core feature that could enable distributed denial-of-service (DDoS) attacks.

In a blog post published this week (September 6), Sonar researchers detailed how they were able to exploit a vulnerability in the pingback requests feature within WordPress.

The vulnerability first surfaced in 2017, yet remains unpatched.

Pingback problem

Pingback requests allow WordPress authors to be notified when another website links to their blog.

The pingback functionality is exposed on the XMLRPC API, which can be accessed through the xmlrpc.php file. Using this method, other blogs can announce pingbacks.

This feature could enable attackers to perform DDoS attacks by maliciously asking thousands of blogs to check for pingbacks on a single victim server, Sonar researchers explained.

Although pingbacks can be turned off via a checkbox, they are still enabled by default on WordPress instances.

It’s worth noting, the researchers pointed out, that they “couldn’t generically identify ways to leverage this behavior to take over vulnerable instances without relying on other vulnerable services”.

Rather, the bug could ease the exploitation of other vulnerabilities in the affected organization’s internal network.

Bypassing restrictions

Thomas Chauchefoin, vulnerability researcher at Sonar and author of the blog, told Daily Swig: “In 2012, the risks around the pingback feature started to be known, and the WordPress maintainers introduced restrictions on the destination of such requests: they would be limited to a restricted set of ports, only public IP addresses, etc.

“In essence, our finding allows getting around some of these restrictions and targeting hosts from the local network. Attackers could use it to send requests to hosts that wouldn’t have been reachable otherwise, for instance, to exploit a vulnerability in internal services.”

He added: “This bug is in the lineage of most CVEs related to pingbacks, but the oldest indicator of a researcher documenting how to get around this specific restriction is from 2017.”

SonarSource researchers disclosed the issue to WordPress on January 21. It was acknowledged as a duplicate bug, according to Sonar, which was reported to the WordPress team in January 2017.

Chauchefoin added: “We reported the vulnerability on January 21 through the official channels, with a pretty standard 90-day disclosure policy. After agreeing to a 30-day extension period, we reviewed a first patch still waiting to be merged upstream. Our publication occurs 228 after our initial report.”

A WordPress Security Team spokesperson told The Daily Swig: “As identified in the Sonar blog post, this is a low-impact issue and exploiting it requires ‘[chaining] it to additional vulnerabilities in third-party software’.

RECOMMENDED  Twitter may have lost 1million users since Elon Musk took onboard

“As such, the Security Team considers the issue a low priority.”

They added: “Because of its low severity, the team is discussing whether this issue could be fixed in public as a general hardening measure.”

Mitigation advice

WordPress told The Daily Swig that exploiting the bug requires “vulnerabilities in multiple systems outside of WordPress”, but that it recommends website owners always use the DNS servers provided by their hosting provider.

They added: “For the pingbacks, users can turn off pingbacks. The XMLRPC endpoint will only make the HTTP requests (detailed in the Sonar blog post) if pingbacks are open for the post being pinged.

“Website owners can (a) turn off pingbacks globally using the code snippet provided in the original post and/or (b) turn off pingbacks for their blog posts.”

Chauchefoin added: “Going public with unpatched bugs is exceptional for us and was a carefully considered decision. As we had proof that our finding collided with previous public work and that it would require significant work to weaponize against real-world environments, we believe that withholding details any longer would only disadvantage defenders.

“We would like to salute the efforts of the WordPress maintainers; even if we couldn’t reach the best outcome possible, backporting fixes for the software behind 40% of all websites is not trivial!”

Previous pingback issue

Another vulnerability in the pingback requests feature that allowed DDoS attacks was fixed by WordPress core in 2012.

The issue, reported by Acunetix, could be abused in multiple ways, researchers reported, and was fixed “as a public hardening ticket” in WordPress Core version shortly after discovery.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
General7 hours ago

Skylar Grey – Everything I Need [LYRICS]

General7 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General7 hours ago

Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey [LYRICS]

General7 hours ago

[Music] African China – Amen

General7 hours ago

[Music] African China – Baba God

General7 hours ago

African China – Baba God [LYRICS]

General7 hours ago

Machine Gun Kelly (MGK) “Home” Feat X Ambassadors & Bebe Rexha [LYRICS]

General7 hours ago

Passenger – Let Her Go [LYRICS]

General7 hours ago

[Music] Eminem – “No Love” Feat. Lil Wayne

General7 hours ago

Eminem – “No Love” Feat. Lil Wayne [LYRICS]

Music8 hours ago

[Music] Tatiana Manaois – Buzz Kill

General8 hours ago

Tatiana Manaois – Buzz Kill [LYRICS]

General8 hours ago

James Blunt – Goodbye My Lover [LYRICS]

General8 hours ago

Major Lazer – “Particula” Feat. Nasty C , Ice Prince, Patoranking & Jidenna [LYRICS]

General8 hours ago

James Blunt – You’re Beautiful [LYRICS]

General8 hours ago

Justin Timberlake – Mirrors [LYRICS]

General8 hours ago

[Music] Darey – “Pray For Me” feat. Soweto Gospel Choir

General8 hours ago

Eminem – “Love The Way You Lie” Feat. Rihanna [LYRICS]

General8 hours ago

Goldlink ft. Miguel – Got Friends [LYRICS]

General8 hours ago

Sia – I’m Still Here [LYRICS]

General8 hours ago

Yo Gotti ft. Nicki Minaj – Rake It Up [LYRICS]

General8 hours ago

Shane McMahon – Here Comes The Money [LYRICS]

General8 hours ago

Journey – Faithfully [LYRICS]

General9 hours ago

[Music] Journey – Faithfully

General9 hours ago

Eminem – Not Afraid [LYRICS]

General9 hours ago

[Music] Journey – Don’t Stop Believin’

General9 hours ago

Journey – Don’t Stop Believin’ [LYRICS]

General9 hours ago

21 Savage – Bank Account [LYRICS]

General9 hours ago

Demi Lovato – Sober [LYRICS]

General9 hours ago

Beyonce ft. Jay-Z – Apeshit [LYRICS]

General9 hours ago

Nasty C ft. ASAP Ferg – King [LYRICS]

General9 hours ago

Lil Wayne – Uproar [LYRICS]

Ed Sheeran
Lyrics10 hours ago

Ed Sheeran – Perfect [LYRICS]

General10 hours ago

[Music] Mo’Hits All Star – Close To You

General10 hours ago

Lil Dicky ft. Chris Brown – Freaky Friday [LYRICS]

Michael Jackson
Lyrics10 hours ago

Michael Jackson – Stranger In Moscow [LYRICS]

General10 hours ago

[Music] Celine Dion – I Drove All Night

General10 hours ago

Celine Dion – I Drove All Night [LYRICS]

General10 hours ago

Tatiana Manaois – Hey Little Lady [LYRICS]

Music10 hours ago

[Music] Tatiana Manaois – Live Better

Gnash (singer)
Music4 days ago

[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you

John Legend
Music1 day ago

[INSTRUMENTAL] John Legend – All Of Me

Alan Walker
Music5 days ago

Alan Walker – Faded [INSTRUMENTAL]

21 Savage
Music2 days ago

[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

Wiz Khalifa
Music4 days ago

[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth

General7 days ago

[Music] Sapientdream – Pastlives

Salvation Ministry Choir Amen
Lyrics2 days ago

Salvation Ministry Choir – Amen [LYRICS]

General7 days ago

[Music] Don Omar – Danza Kuduro (feat. Lucenzo)

General5 days ago

[Music] The Chainsmokers – ‘Don’t Let Me Down’ Feat. Daya

General7 days ago

Ladé – Adulthood Anthem (Adulthood Na Scam) [Lyrics]

General7 days ago

[Music] Timbaland – Apologize ft. OneRepublic

Powfu (singer)
Music4 days ago

[Music] Powfu – Death Bed (Coffee for Your Head) Feat. Beabadoobee

General5 days ago

[Music] Wyclef Jean – “Sweetest Girl (Dollar Bill)” Feat. Akon, Lil Wayne, Niia

General3 days ago

[Music] Zayn Malik – Entertainer

Wiz Khalifa - See You Again ft. Charlie Puth
Music4 days ago

[Music] Wiz Khalifa – See You Again ft. Charlie Puth

Music3 days ago

[Music] Exalted Tribe (HICC) – We Dey Halla

Anna Kendrick
Music4 days ago

[Music] Anna Kendrick – Cups (Pitch Perfect’s “When I’m Gone”)

General7 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General1 day ago

[Music] John Legend – Love Me Now

Right Said Fred
Music4 days ago

[Music] Right Said Fred – Stand Up (For the Champions)

Salvation Ministries Mass Choir
Music2 days ago

[Music] Salvation Ministries Choir – Chioma Me Eh(Good God)

General12 hours ago

[Music] Celine Dion – If That’s What It Takes

Salvation Ministries Mass Choir
Lyrics2 days ago

Salvation Ministries Choir – Chioma Me Eh(Good God) [LYRICS]

General12 hours ago

[Music] P!nk – Try

General6 days ago

[Music] Shaggy – Strength Of A Woman

General2 days ago

[Music] Jaden Smith – Goku

Music4 days ago

[Music] Wiz Khalifa – See You Again (Remix) Feat Charlie Puth, Eminem, Tyga, & Chris Brown

R. Kelly
Music4 days ago

[Music] R. Kelly – World’s Greatest

General1 day ago

Magic! — Rude [LYRICS]

General9 hours ago

[Music] Journey – Don’t Stop Believin’

General6 days ago

[Music] Justin Bieber – Love Me

General2 days ago

[Music] Cardi B – Bartier Cardi ft. 21 Savage

General7 days ago

[Music] Lionel Richie – Angel

General3 days ago

[Music] Tyga ft. Offset – Taste

General13 hours ago

[Music] P!nk – “Just Give Me A Reason” Feat. Nate Ruess

General7 days ago

[Music] BIG SHAQ – Man’s Not Hot

General3 days ago

[Music] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

General7 days ago

[Music] Shayne Ward – Breathless

General6 days ago

[Music] Post Malone – Candy Paint

General5 days ago

[Music] R Kelly – When A Woman Loves

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.