| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 15 Apr 2012 23:55:02 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: DoS vulnerability in WordPress Hello list! I want to warn you new about security vulnerability in WordPress. This is Denial of Service vulnerability. Which exists in security functionality, which protects against Abuse of Functionality vulnerability in WordPress, which I've disclosed in 2009 and which was not fixed correctly. ------------------------- Affected products: ------------------------- If for previous AoF all versions of WordPress are vulnerable, then for DoS the versions 2.9 - 3.3.1 are vulnerable. ---------- Details: ---------- In WordPress 2.9 in December 2009, as was stated by developers of the engine [1], Abuse of Functionality vulnerability in WordPress [2] was fixed. Which could lead to DoS and in some cases to full takeover of the site (at presence of the installer at the site). WP developers said, that they made automated repairing of tables in DB. But last month I've found Denial of Service vulnerability in this security functionality of the engine and later also checked, that repairing of tables in DB isn't automated. But only admin of the site, when found that his site isn't working, need to manually start the repairing of tables (by using of script repair.php, which was added to WP, so no need to use other software). I.e. AoF vulnerability, which I've wrote about in May 2009, just was not fixed. And still possible to conduct attacks through it. DoS (WASC-10): By constantly sending requests to script http://site/wp-admin/maint/repair.php (functions "Repair Database" and "Repair and Optimize Database") it's possible to create overload at the site (and the whole server). And the more data in site's DB, the more load from every request. http://site/wp-admin/maint/repair.php?repair=1&_wpnonce=a4ca36d5ff http://site/wp-admin/maint/repair.php?repair=2&_wpnonce=a4ca36d5ff The attack will work at turned on WP_ALLOW_REPAIR in wp-config.php. Protection against CSRF (tokens) is bypassing, because for using of this functionality the authorization isn't required. So it's possible to get _wpnonce remotely and to conduct DoS attack. ------------ Timeline: ------------ 2012.03.24 - found the vulnerability during security audit. 2012.04.12 - disclosed at my site [3]. ---------------- References: ---------------- 1. WordPress 2.9 (http://wordpress.org/development/2009/12/wordpress-2-9/). 2. Attack on Abuse of Functionality in WordPress (http://websecurity.com.ua/3152/). 3. DoS vulnerability in WordPress (http://websecurity.com.ua/5745/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists