Connect with us
X
Categories:

Technology

WordPress Core feature’s six-year-old blind SSRF vulnerability may allow DDoS assaults

Published

on

WordPress Core feature's six-year-old blind SSRF vulnerability may allow DDoS assaults
Share this post:

Issue present in pingback requests feature.

Researchers have gone public with a six-year-old blind server-side request forgery (SSRF) vulnerability in a WordPress Core feature that could enable distributed denial-of-service (DDoS) attacks.

In a blog post published this week (September 6), Sonar researchers detailed how they were able to exploit a vulnerability in the pingback requests feature within WordPress.

The vulnerability first surfaced in 2017, yet remains unpatched.

Pingback problem

Pingback requests allow WordPress authors to be notified when another website links to their blog.

The pingback functionality is exposed on the XMLRPC API, which can be accessed through the xmlrpc.php file. Using this method, other blogs can announce pingbacks.

This feature could enable attackers to perform DDoS attacks by maliciously asking thousands of blogs to check for pingbacks on a single victim server, Sonar researchers explained.

Although pingbacks can be turned off via a checkbox, they are still enabled by default on WordPress instances.

It’s worth noting, the researchers pointed out, that they “couldn’t generically identify ways to leverage this behavior to take over vulnerable instances without relying on other vulnerable services”.

Rather, the bug could ease the exploitation of other vulnerabilities in the affected organization’s internal network.

Bypassing restrictions

Thomas Chauchefoin, vulnerability researcher at Sonar and author of the blog, told Daily Swig: “In 2012, the risks around the pingback feature started to be known, and the WordPress maintainers introduced restrictions on the destination of such requests: they would be limited to a restricted set of ports, only public IP addresses, etc.

“In essence, our finding allows getting around some of these restrictions and targeting hosts from the local network. Attackers could use it to send requests to hosts that wouldn’t have been reachable otherwise, for instance, to exploit a vulnerability in internal services.”

He added: “This bug is in the lineage of most CVEs related to pingbacks, but the oldest indicator of a researcher documenting how to get around this specific restriction is from 2017.”

SonarSource researchers disclosed the issue to WordPress on January 21. It was acknowledged as a duplicate bug, according to Sonar, which was reported to the WordPress team in January 2017.

Chauchefoin added: “We reported the vulnerability on January 21 through the official channels, with a pretty standard 90-day disclosure policy. After agreeing to a 30-day extension period, we reviewed a first patch still waiting to be merged upstream. Our publication occurs 228 after our initial report.”

A WordPress Security Team spokesperson told The Daily Swig: “As identified in the Sonar blog post, this is a low-impact issue and exploiting it requires ‘[chaining] it to additional vulnerabilities in third-party software’.

“As such, the Security Team considers the issue a low priority.”

They added: “Because of its low severity, the team is discussing whether this issue could be fixed in public as a general hardening measure.”

Mitigation advice

WordPress told The Daily Swig that exploiting the bug requires “vulnerabilities in multiple systems outside of WordPress”, but that it recommends website owners always use the DNS servers provided by their hosting provider.

They added: “For the pingbacks, users can turn off pingbacks. The XMLRPC endpoint will only make the HTTP requests (detailed in the Sonar blog post) if pingbacks are open for the post being pinged.

“Website owners can (a) turn off pingbacks globally using the code snippet provided in the original post and/or (b) turn off pingbacks for their blog posts.”

Chauchefoin added: “Going public with unpatched bugs is exceptional for us and was a carefully considered decision. As we had proof that our finding collided with previous public work and that it would require significant work to weaponize against real-world environments, we believe that withholding details any longer would only disadvantage defenders.

“We would like to salute the efforts of the WordPress maintainers; even if we couldn’t reach the best outcome possible, backporting fixes for the software behind 40% of all websites is not trivial!”

Previous pingback issue

Another vulnerability in the pingback requests feature that allowed DDoS attacks was fixed by WordPress core in 2012.

The issue, reported by Acunetix, could be abused in multiple ways, researchers reported, and was fixed “as a public hardening ticket” in WordPress Core version shortly after discovery.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Benefits of Partnering with a Managed Security Service Provider
Technology1 month ago

Benefits of Partnering with a Managed Security Service Provider

Diya Can't Have Enough G-Wills
Music2 months ago

[Music] Diya – “Can’t Have Enough” Feat G-Wills

Email Newsletter Marketing Online Website
Technology3 months ago

The Vital Role of Email Fraud Detection Software

Roisea: Most Advanced Crypto Trading Platform for Bitcoin
Business3 months ago

The Role of Regulation in Crypto Investment: Navigating Legal Frameworks

Volatility in Commodities and How to Deal with It
Business3 months ago

Volatility in Commodities and How to Deal with It

Expanding Living Space
Lifestyle5 months ago

Expanding Living Space: Prefabricated Workshop Building Kits for Extra Rooms

BeBe Winans
Lyrics6 months ago

BeBe Winans – It All Comes Down to Love [Lyrics]

BeBe Winans
Music6 months ago

[Music] BeBe Winans – It All Comes Down to Love

The Countdown Begins to the Tournament That Has It All
ANE Football Analytical6 months ago

AFCON 2023: A Sporting Spectacle Set to Captivate the World

Litecoin: What Makes It The Crypto Winner?
Technology7 months ago

Runny Inflation Can Drive Cryptocurrency Adoption

Black and White French Bulldog puppies Frenchie Joy
Lifestyle7 months ago

Black and White French Bulldog puppies Frenchie Joy

3 Serious Reasons to Keep Your Teenager Away From Social Media
Lifestyle8 months ago

3 Serious Reasons to Keep Your Teenager Away From Social Media

Boxing vs MMA What Makes Them So Different
Sports8 months ago

Boxing vs MMA: What Makes Them So Different

Roisea: Most Advanced Crypto Trading Platform for Bitcoin
Technology8 months ago

NFTs and Intellectual Property Rights: Shaping Creative Ownership

The Birth of a Rugby Nation South Africas Love Affair with the Sport
Sports1 year ago

The Birth of a Rugby Nation: South Africa’s Love Affair with the Sport

A Beginner's Guide to Radicle (RAD): The Future of Peer-to-Peer Development
Technology1 year ago

A Beginner’s Guide to Radicle (RAD): The Future of Peer-to-Peer Development

Analysis of Nigeria's Renewable Energy Sector: Opportunities and Challenges
Technology1 year ago

Analysis of Nigeria’s Renewable Energy Sector: Opportunities and Challenges

Casino Gaming Poker
Sports1 year ago

What Are The Various Types Of Online Slots?

Luka Modric celebrates after scoring Real Madrid's second goal against Celta Vigo.
Sports1 year ago

Luka Modric set to join Ronaldo in Saudi Arabia’s Al Nassr

WHO World Health Organization
Health1 year ago

WHO debunks claims that tuberculosis is caused by witchcraft, poison

Atiku Abubakar
News1 year ago

2023 Election: Why DSS must arrest Fani-Kayode – Atiku

PDP Logo Umbrella
News1 year ago

PDP suspends National Chairman

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 03)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 02)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 01)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Complete Episodes)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 16)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 15)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 14)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 13)

ANE Billboard Hots