Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday February 07 2018, @03:07PM   Printer-friendly
from the control-your-scripts dept.

Submitted via IRC for TheMightyBuzzard

As if there aren't enough ways to attack a WordPress site, an Israeli researcher has published details of how almost anyone can launch a denial of service (DoS) attack against almost any WordPress with just one computer. That, he suggests, is almost 30% of all websites on the internet.

The attack uses the vulnerability associated with CVE-2018-6389. The CVE database, at the time of writing, has no details, marking it only as 'reserved' for future use. Details, however, can be found in a Barak Tawily blog post published Monday. It is an abuse of the WordPress load-scripts.php function, which exists to allow administrators/web designers to improve website performance by combining multiple JavaScript files into a single request at the server end.

[...] Tawily goes on to show that mitigation isn't really that difficult if you know what to do (which many WordPress users do not). He "forked WordPress project and patched it so no one but authenticated users can access the load-*.php files, without actually harming the wp-login.php file functionality." He goes further to provide a bash script that modifies the relevant files to mitigate the vulnerability.

Source: http://www.securityweek.com/one-computer-can-knock-almost-any-wordpress-site-offline


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Freeman on Wednesday February 07 2018, @05:39PM (3 children)

    by Freeman (732) on Wednesday February 07 2018, @05:39PM (#634450) Journal

    So, you don't use ethernet on your network? Even my Point-to-Point Wireless + Wireless router has an ethernet cable from the point-to-point antenna to my router.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @07:19PM (2 children)

    by Anonymous Coward on Wednesday February 07 2018, @07:19PM (#634500)

    So, you don't use ethernet on your network? Even my Point-to-Point Wireless + Wireless router has an ethernet cable from the point-to-point antenna to my router.

    Are you nuts, old man? No one uses ethernet any more. It's completely unnecessary. We all use SDN on VMs and containers which makes *all* hardware completely unnecessary.

    Hardware is dead and gone. No one uses it any more, unless they're dinosaurs. What are you, like 40? Sheesh!

    *This message brought to you with the generous support of The TechnoMoron Alliance For Tech.

    • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @08:40PM (1 child)

      by Anonymous Coward on Wednesday February 07 2018, @08:40PM (#634555)

      im wrote the comment about one person being all it takes to fuck something up.

      where did i say there was no ethernet on modern networks? i said that even in the 90s, it was possible. i cited ethernet specifically since one server could push via broadcast or multicast and fuck up a bunch of things at once. token ring was used at the time too and couldn't get fucked up in the same way, but you could still try by getting a token to ethernet bridge to send over broadcasts into the ring and fuck things up that way

      and yeah you young people and your emulated wireless token ring clouds! try to run qos on token ring even though its supported via the commands! i dare you!

      • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @09:35PM

        by Anonymous Coward on Wednesday February 07 2018, @09:35PM (#634576)

        And the best part about token ring was the Boy George Connectors [wikipedia.org], both for the off-color jokes and the shielded, genderless connectors.

        Oh, and don't bogart that token, my friend. Pass it over here. With apologies to Little Feat [youtu.be].