lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <002c01cd0ac8$5546e960$0100a8c0@ml>
Date: Sun, 25 Mar 2012 23:45:33 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Brute Force vulnerability in WordPress

Hello list!

There are many vulnerabilities in WordPress which exist from version 2.0,
or even from 1.x versions, and still not fixed. So I want to warn you about
one of such holes. It's Brute Force vulnerability via XML-RPC functionality
in WordPress.

-------------------------
Affected products:
-------------------------

Vulnerable are WordPress 3.3.1 and previous versions.

----------
Details:
----------

Brute Force (WASC-11):

http://site/xmlrpc.php

In this functionality there is no protection against Brute Force attack. At
sending of corresponding POST-requests it's possible to pick up password.

Note, that since WordPress 2.6 the XML-RPC functionality is turned off by
default. WP developers did it due to vulnerabilities (such as SQL Injection
and others), which were found in this functionality, i.e. not motivating it
as counteraction to Brute Force, but it worked also as protection against
Brute Force attack.

So this issue doesn't concern those who uses WordPress since version 2.6
with default settings. But those who needs to use XML-RPC, those will have
Brute Force vulnerability, because the developers didn't make reliable
protection against it.

Earlier in 2008 and 2010 years I've already wrote about Brute Force
vulnerabilities in WordPress (http://websecurity.com.ua/2007/ and
http://websecurity.com.ua/4016/ SecurityVulns ID: 10677) and it's another
such vulnerability. Besides them there is also known BF attack not via login
form, but with using of authorization cookie (when by setting different
cookies it's possible to pick up password).

------------
Timeline:
------------

2012.03.20 - disclosed at my site.

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/5723/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ