Submitted via IRC for TheMightyBuzzard
As if there aren't enough ways to attack a WordPress site, an Israeli researcher has published details of how almost anyone can launch a denial of service (DoS) attack against almost any WordPress with just one computer. That, he suggests, is almost 30% of all websites on the internet.
The attack uses the vulnerability associated with CVE-2018-6389. The CVE database, at the time of writing, has no details, marking it only as 'reserved' for future use. Details, however, can be found in a Barak Tawily blog post published Monday. It is an abuse of the WordPress load-scripts.php function, which exists to allow administrators/web designers to improve website performance by combining multiple JavaScript files into a single request at the server end.
[...] Tawily goes on to show that mitigation isn't really that difficult if you know what to do (which many WordPress users do not). He "forked WordPress project and patched it so no one but authenticated users can access the load-*.php files, without actually harming the wp-login.php file functionality." He goes further to provide a bash script that modifies the relevant files to mitigate the vulnerability.
Source: http://www.securityweek.com/one-computer-can-knock-almost-any-wordpress-site-offline
(Score: 0) by Anonymous Coward on Wednesday February 07 2018, @07:20PM (1 child)
I think the point is that this is a DOS not a DDOS. The latter requires more resources to exploit and is harder to defend against, the first is a serious flaw that shouldn't exist.
(Score: 0) by Anonymous Coward on Thursday February 08 2018, @11:28AM
It's an ancient operating system?
You surely mean "DoS" (with lowercase "o"). Compare IoT, IPoA, IPoAC, PoE, PPPoE, PvP, …