31% of WordPress sites are vulnerable to a DDoS attack even by a single machine

Started by gnh73, Jul 30, 2022, 01:26 AM

Previous topic - Next topic

gnh73Topic starter

It is important to note that exploitation of this vulnerability is illegal unless you have permission from the site owner.



A simple but very serious application layer denial-of-service (DoS) invasion vulnerability has been discovered in the WordPress CMS platform, which allows any user to bring down most WordPress websites, even from a single machine. This happens without the need to use a huge number of computers to fill up the bandwidth, as required by DDoS attacks, but with the same result.

Since the WordPress Foundation refused to fix the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in the last nine years, including the latest stable version.

Barak Tawily, an Israeli security researcher, has discovered a vulnerability in which "load-scripts.php", an embedded script in the WordPress CMS, also handles user requests.

As intended by the programmers, the load-scripts.php file is intended for administrators only and was created to help the site improve performance and load the page faster by concatenating (on the server) multiple JavaScript files into a single request.

However, in order for "load-scripts.php" to work on the admin login page (wp-login.php) prior to login, the WordPress developers do not provide an authentication mechanism, making the feature available to everyone.


Depending on the plugins and modules you have installed, the load-scripts.php file selectively calls the necessary JavaScript files by passing their names to the "load" parameter separated by a comma, such as the following URL:

https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

When loading a site, "load-scripts.php" tries to find each JavaScript filename specified in the URL, appends its content to a single file, and then sends it to the user's browser.

How WordPress DoS Attack Works


According to the researcher, it is possible to have load-scripts.php call all practicable JavaScript files (181 scripts in total) in one pass by passing their names in the above URL. This will make the target site run a bit slower, requiring a high CPU and memory cost on the server.

    "There is a well-defined list ($wp_scripts) that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform the necessary I/O reads," says Tawily.

While a single request wouldn't be enough to put the entire site down for all visitors, Tawily used python scripts to create a proof-of-concept (PoC). The doser.py he created makes a huge number of simultaneous requests to the same URL in an attempt to use as much of the server's CPU as possible and minimize the resources available to other users.

hаcker News verified the authenticity of the DoS exploit by successfully putting one of the WordPress demo sites running on a medium-sized VPS.

    "load-scripts.php does not require any authentication, any anonymous user can do so. After about 500 requests, the server no longer responded or returned a status of 502/503/504 errors in the code, says Tawily.

However, a single machine invasion with up to 40Mbps connectivity was not enough to cause a denial of service for yet another demo website running on a dedicated server with high processing power and plenty of memory.


This does not mean that the flaw is not effective against WordPress sites running on a powerful server, as an application layer attack usually requires much less packets and bandwidth to achieve the attackers' goal.

Thus, hаckers with more bandwidth or multiple bots could use this vulnerability to attack huge and popular WordPress websites.

Knowing that DoS vulnerabilities are outside the scope of the WordPress bug bounty application, Tawily responsibly reported this DoS vulnerability to the WordPress team through the hаckerOne platform.

However, the company refused to acknowledge the issue, stating that such a bug is out of WordPress' control and "should be mitigated at the server or network level, not at the application level."

The vulnerability seems to be serious because about 31% of the sites on the Net use WordPress. This leaves millions of sites vulnerable to hаckers and potentially inaccessible to their users.

For sites that cannot afford services that offer protection against application-level attacks, the researcher has provided a WordPress forked version that contains a patch for this vulnerability.
However, you should be aware of the risks of installing a modified CMS, even if you consider the source to be reliable. Apart from this, the researcher also released a simple bash script that fixes an issue in an already installed WordPress.


  •  

neelseofast

Well, then simply deny access to that path, and open access along another one that redirects to the old path (rewrites, symlinks, try_files, etc). Although if the links contain something like "/xхxxхxxхxxx", it will not help. Perhaps this is what was meant by "hardcore"?

not only load-scripts.php is placed in the wp-admin folder, but also admin-ajax.php to which Ajax comes from the user. I don't know how it is on a bare engine, but with security plugins or with some other ones, a request for guests to enter a password just falls out. So everything would have been closed long ago ..
  •  

sam

I think that a third of the websites can not be put on WordPress, just pulling the longest requests in parallel.
For instance, a home page with a random part in the URL.
And some other percentage of sites will be charged more money for hosting.
On one of the projects, load testing was done in 700 threads from one virtual machine
The response time grew from seconds to tens of seconds. And there will be an order of magnitude fewer people waiting 20-35 seconds for a response from the site.
Moreover, there may be a notification from the admin on 5xx
And on the fall of the audience from the daytime 1500 people to the night 150 in the middle of the working day, not all admins
And the sales department, for example, the store's Internet will not immediately start to worry
The overall security situation is very sad.
  •