Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday February 07 2018, @03:07PM   Printer-friendly [Skip to comment(s)]
from the control-your-scripts dept.

Submitted via IRC for TheMightyBuzzard

As if there aren't enough ways to attack a WordPress site, an Israeli researcher has published details of how almost anyone can launch a denial of service (DoS) attack against almost any WordPress with just one computer. That, he suggests, is almost 30% of all websites on the internet.

The attack uses the vulnerability associated with CVE-2018-6389. The CVE database, at the time of writing, has no details, marking it only as 'reserved' for future use. Details, however, can be found in a Barak Tawily blog post published Monday. It is an abuse of the WordPress load-scripts.php function, which exists to allow administrators/web designers to improve website performance by combining multiple JavaScript files into a single request at the server end.

[...] Tawily goes on to show that mitigation isn't really that difficult if you know what to do (which many WordPress users do not). He "forked WordPress project and patched it so no one but authenticated users can access the load-*.php files, without actually harming the wp-login.php file functionality." He goes further to provide a bash script that modifies the relevant files to mitigate the vulnerability.

Source: http://www.securityweek.com/one-computer-can-knock-almost-any-wordpress-site-offline


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Interesting) by PiMuNu on Wednesday February 07 2018, @03:42PM (4 children)

    by PiMuNu (3823) Subscriber Badge on Wednesday February 07 2018, @03:42PM (#634414)

    ... a colleague crashed our outlook server by emailing a massively recursively zipped file to himself. The email server crashed while trying to check the file for viruses. Nowadays of course that would probably be called "hacking" and result in a few years in jail (maybe only if the zip file was sent to a TLA).

    • (Score: 4, Interesting) by rts008 on Wednesday February 07 2018, @05:17PM (3 children)

      by rts008 (3001) on Wednesday February 07 2018, @05:17PM (#634436)

      ...a massively recursively zipped file...

      Ah yes, the old 'compression bomb' trick.

      I used to enjoy playing with these until one caused me to get a nasty letter from one of those 'let us probe your system for vulnerabilities' websites. (circa 1999-2000, IIRC)

      I had forgotten about a honeypot surprise on a storage drive the probing found, and triggered. They claimed it took them down, and offline for two days until back-ups could be restored. I was not impressed with their security, to have been affected by something like that.

      • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @06:25PM (2 children)

        by Anonymous Coward on Wednesday February 07 2018, @06:25PM (#634482)

        We had three similar ones on our website for awhile in an attempt to slow people scanning. First was a Billion-Laughs XML file, second was a mess of files with tons of small iframes with their own iframes to 5 layers deep, and the third was a JavaScript file that would "deminify" into a massive dynamically generated file, which inserted all sorts of things into the DOM.

        • (Score: 4, Interesting) by FatPhil on Wednesday February 07 2018, @07:21PM (1 child)

          by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 07 2018, @07:21PM (#634502) Homepage
          Am I the only one who doesn't like the inefficiency of the billion laughs technique? Cost is 90+9L, usually that's a waste.
          I'm a proponent of 1162261467 laughs instead, in general, costing 57+19L, as often L<1, or the 1073741824 laughs attack, costing 60+15L, when L's 1.

          I guess I've lost almost everyone at this stage. I'll take my meds, I seem to be having a tern...
          --
          I know I'm God, because every time I pray to him, I find I'm talking to myself.
          • (Score: -1, Spam) by Anonymous Coward on Wednesday February 07 2018, @08:14PM

            by Anonymous Coward on Wednesday February 07 2018, @08:14PM (#634542)

            She screamed. Oh, she screamed. In response, the sound of little boys cheering was heard. Chairs. A tile floor. A chalk board. It was a classroom.

            The man was vigorously moving his hips and slamming his fist into the woman's face. It might be more accurate to say that he could stop neither his fists nor his hips. The woman screamed for help. However, the children only cheered. Rather than caring about the woman's well-being, it would be more accurate to say that the boys were actively cheering for her demise.

            Every time the fist collided with the woman, mankind took a microscopic step forward towards a future where men's rights were respected. The children knew this, which is why they were so excited. A bright future awaited them.

            When silence finally descended upon the woman, the children could no longer contain their excitement. Endless cheers and clapping were heard from within the classroom. The woman's motion had been completely replaced by the children's desire for freedom.

  • (Score: 5, Insightful) by Arik on Wednesday February 07 2018, @04:01PM

    by Arik (4543) on Wednesday February 07 2018, @04:01PM (#634418) Journal
    Quit trying to use all those crappy scripts.

    Take a look at a wordpress site sometime. Any of them. View source.

    The problem isn't the number of files, it's the number of lines of clunky at best, often byzantine and likely harmful, scripting they sneak into the simplest of documents.
    --
    If laughter is the best medicine, who are the best doctors?
  • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @05:25PM (6 children)

    by Anonymous Coward on Wednesday February 07 2018, @05:25PM (#634442)

    it only takes one person to fuck something up without even trying.

    saying a computer can do it is just assumed to be normal since the 80s.

    One computer can mess up a mail merge and send the same invite 1400 times to the same person due to teh same address label being printed, etc... numerous examples of that.

    just saying that one computer can push a config change is like saying admins do their jobs like it was the late 90s on an ethernet network.

    • (Score: 2) by Freeman on Wednesday February 07 2018, @05:39PM (3 children)

      by Freeman (732) on Wednesday February 07 2018, @05:39PM (#634450) Journal

      So, you don't use ethernet on your network? Even my Point-to-Point Wireless + Wireless router has an ethernet cable from the point-to-point antenna to my router.

      --
      Forced Microsoft Account for Windows Login → Switch to Linux.
      • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @07:19PM (2 children)

        by Anonymous Coward on Wednesday February 07 2018, @07:19PM (#634500)

        So, you don't use ethernet on your network? Even my Point-to-Point Wireless + Wireless router has an ethernet cable from the point-to-point antenna to my router.

        Are you nuts, old man? No one uses ethernet any more. It's completely unnecessary. We all use SDN on VMs and containers which makes *all* hardware completely unnecessary.

        Hardware is dead and gone. No one uses it any more, unless they're dinosaurs. What are you, like 40? Sheesh!

        *This message brought to you with the generous support of The TechnoMoron Alliance For Tech.

        • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @08:40PM (1 child)

          by Anonymous Coward on Wednesday February 07 2018, @08:40PM (#634555)

          im wrote the comment about one person being all it takes to fuck something up.

          where did i say there was no ethernet on modern networks? i said that even in the 90s, it was possible. i cited ethernet specifically since one server could push via broadcast or multicast and fuck up a bunch of things at once. token ring was used at the time too and couldn't get fucked up in the same way, but you could still try by getting a token to ethernet bridge to send over broadcasts into the ring and fuck things up that way

          and yeah you young people and your emulated wireless token ring clouds! try to run qos on token ring even though its supported via the commands! i dare you!

          • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @09:35PM

            by Anonymous Coward on Wednesday February 07 2018, @09:35PM (#634576)

            And the best part about token ring was the Boy George Connectors [wikipedia.org], both for the off-color jokes and the shielded, genderless connectors.

            Oh, and don't bogart that token, my friend. Pass it over here. With apologies to Little Feat [youtu.be].

    • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @07:20PM (1 child)

      by Anonymous Coward on Wednesday February 07 2018, @07:20PM (#634501)

      I think the point is that this is a DOS not a DDOS. The latter requires more resources to exploit and is harder to defend against, the first is a serious flaw that shouldn't exist.

      • (Score: 0) by Anonymous Coward on Thursday February 08 2018, @11:28AM

        by Anonymous Coward on Thursday February 08 2018, @11:28AM (#634823)

        I think the point is that this is a DOS

        It's an ancient operating system?

        You surely mean "DoS" (with lowercase "o"). Compare IoT, IPoA, IPoAC, PoE, PPPoE, PvP, …

  • (Score: 2) by NotSanguine on Wednesday February 07 2018, @07:29PM (1 child)

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Wednesday February 07 2018, @07:29PM (#634509) Homepage Journal

    From TFS:

    The attack uses the vulnerability associated with CVE-2018-6389. The CVE database, at the time of writing, has no details, marking it only as 'reserved' for future use.

    IIUC, once a vulnerability has been reported, Mitre generally assigns a CVE ID and "reserves" it for that vulnerability until they obtain and have time to include relevant data (usually including specifics of the vulnerability as well as sample exploits). As of this message (7 Feb 2018, 1924 GMT), Mitre appears to have added information about the vulnerability [mitre.org].

    The US National Vulnerability Database [nist.gov] *sometimes* has information sooner than the CVE database.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 3, Informative) by TheRaven on Thursday February 08 2018, @10:08AM

      by TheRaven (270) on Thursday February 08 2018, @10:08AM (#634804) Journal

      IIUC, once a vulnerability has been reported, Mitre generally assigns a CVE ID and "reserves" it for that vulnerability until they obtain and have time to include relevant data

      A lot of vulnerabilities are embargoed as well. The CVE is assigned so people know that they're talking about the same thing, but if the discoverer has done responsible disclosure then the details won't be published until after there's been a coordinated patch release.

      --
      sudo mod me up
  • (Score: 2) by FatPhil on Wednesday February 07 2018, @07:30PM (1 child)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 07 2018, @07:30PM (#634510) Homepage
    Everyone knows you always attack (DoS) a webserver using layer 7, not layer 4 (or 3). Make the fileserver and database server *work* towards its own destruction. This isn't even a particularly bad one, as I/O is cached, and it easily fixable (at the logical level) by *preparing* the merged files as part of the deployment stage (what, don't makefiles which manage dependencies exist on your system? get a better system!), such that they are static file gets, and as such almost free.

    This is a better one - input validation error causes bug tracker to get knickers in a twist: https://securityboulevard.com/2018/02/how-we-found-exploited-a-layer-7-dos-attack-on-fogbugz/
    --
    I know I'm God, because every time I pray to him, I find I'm talking to myself.
    • (Score: 2) by FatPhil on Wednesday February 07 2018, @07:39PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 07 2018, @07:39PM (#634514) Homepage
      > fixable ... by *preparing* the merged files as part of the deployment stage

      Or have a hash of each component (so can include versioning), and create a [[zobrist hash]] of the combination in the request. Then have a cache mapping that zobrist hash onto an on-demand cache. (This falls to the randomly-changing-request hack, of course, but you can mitigate against that by actually working out what combinations you're prepared to serve and white-listing them - oh my, that might require effort, we're not prepared to expend effort!)

      That technique's (tm) (c) and (p) me, they may not use it. Because fuck Wordpress, who cause, or at least enable, so much shit on the internet.
      --
      I know I'm God, because every time I pray to him, I find I'm talking to myself.
  • (Score: 0) by Anonymous Coward on Wednesday February 07 2018, @08:57PM

    by Anonymous Coward on Wednesday February 07 2018, @08:57PM (#634567)

    I've many sites crash and burn from *regular usage* and remain offline for days on end afterwards over the years.

  • (Score: 3, Interesting) by MichaelDavidCrawford on Thursday February 08 2018, @01:33AM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Thursday February 08 2018, @01:33AM (#634605) Homepage Journal

    I told this story once before:

    scoop.kuro5hin.org got overrun by link spammers. Just out of curiosity I clicked one of the links.

    It took me to an ecommerce site that sold WordPress themes. Every last one of those themes was heart-achingly beautiful. It was quite clear that whoever rendered them did so with great love and care, and that they had an art school degree.

    Why does a site like this need to spam? I googled it.

    There was only one hit, just for the homepage and nothing else. I felt really bad for whoever hoped to better themselves by building that exquisite site. Surely there was a reason for this?

    At some point I clued in to looking at the homepage's HTML source. And there in the head element was a "rel='nofollow'" attribute that blocked the whole rest of the site from search bots.

    Doubtlessly WordPress's creators put that nofollow tag there to keep a lid on spammers. But also doubtlessly that nofollow tag crushes the dreams of those who do not know how to read source.

    --
    Yes I Have No Bananas. [gofundme.com]
(1)