Stories
Slash Boxes
Comments

SoylentNews is people

One Computer Can Knock Almost Any WordPress Site Offline

posted by Fnord666 on Wednesday February 07 2018, @03:07PM   Printer-friendly
from the control-your-scripts dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

As if there aren't enough ways to attack a WordPress site, an Israeli researcher has published details of how almost anyone can launch a denial of service (DoS) attack against almost any WordPress with just one computer. That, he suggests, is almost 30% of all websites on the internet.

The attack uses the vulnerability associated with CVE-2018-6389. The CVE database, at the time of writing, has no details, marking it only as 'reserved' for future use. Details, however, can be found in a Barak Tawily blog post published Monday. It is an abuse of the WordPress load-scripts.php function, which exists to allow administrators/web designers to improve website performance by combining multiple JavaScript files into a single request at the server end.

[...] Tawily goes on to show that mitigation isn't really that difficult if you know what to do (which many WordPress users do not). He "forked WordPress project and patched it so no one but authenticated users can access the load-*.php files, without actually harming the wp-login.php file functionality." He goes further to provide a bash script that modifies the relevant files to mitigate the vulnerability.

Source: http://www.securityweek.com/one-computer-can-knock-almost-any-wordpress-site-offline

Original Submission

 
This discussion has been archived. No new comments can be posted.
One Computer Can Knock Almost Any WordPress Site Offline | Log In/Create an Account | Top | 19 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FatPhil on Wednesday February 07 2018, @07:39PM

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Wednesday February 07 2018, @07:39PM (#634514) Homepage
    > fixable ... by *preparing* the merged files as part of the deployment stage

    Or have a hash of each component (so can include versioning), and create a [[zobrist hash]] of the combination in the request. Then have a cache mapping that zobrist hash onto an on-demand cache. (This falls to the randomly-changing-request hack, of course, but you can mitigate against that by actually working out what combinations you're prepared to serve and white-listing them - oh my, that might require effort, we're not prepared to expend effort!)

    That technique's (tm) (c) and (p) me, they may not use it. Because fuck Wordpress, who cause, or at least enable, so much shit on the internet.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2