lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Apr 2012 13:11:55 -0600 From: Kurt Seifried <kseifried@...hat.com> To: MustLive <mustlive@...security.com.ua> Cc: full-disclosure@...ts.grok.org.uk, submissions@...ketstormsecurity.org Subject: Re: DoS vulnerability in WordPress -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/15/2012 02:55 PM, MustLive wrote: > DoS (WASC-10): > > By constantly sending requests to script > http://site/wp-admin/maint/repair.php (functions "Repair Database" > and "Repair and Optimize Database") it's possible to create > overload at the site (and the whole server). And the more data in > site's DB, the more load from every request. > > http://site/wp-admin/maint/repair.php?repair=1&_wpnonce=a4ca36d5ff > > http://site/wp-admin/maint/repair.php?repair=2&_wpnonce=a4ca36d5ff > > The attack will work at turned on WP_ALLOW_REPAIR in > wp-config.php. Protection against CSRF (tokens) is bypassing, > because for using of this functionality the authorization isn't > required. So it's possible to get _wpnonce remotely and to conduct > DoS attack. This appears to be intended functionality, by default I get: "To allow use of this page to automatically repair database problems, please add the following line to your wp-config.php file. Once this line is added to your config, reload this page. define('WP_ALLOW_REPAIR', true);" So either an admin has to specifically configure this to allow it anonymously, or exploitation requires administrative access. I don't see any trust boundary being violated here. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjG77AAoJEBYNRVNeJnmTKWUQAIE5a0yRHp3AZMKhc1aCWYKb BgCvGp6qD+54kNvjYcGqfGh6LalZJeYm/1zYMtWyrXFptlCElCobDfWvVS5EUx3X gSwyIgrh630Iy1IEpwdmAZzBGQ/wiHx3E+00zvNrbyeGzrHdiem6+zT1A/EbElum d5wga4iyctFFkdCCIfbE9YfLzGyZG0CGjNNyR9EuURQ2RPJV9ldfrCjtjD4jIqI3 PBIcMzfysDMIqLRXB8Tf+462Ux4iHW/FieXOaoG0N+1+Gq+P3/spBJlMOG6AWGzl h7/yQbsCbFzYTL5mFWaZu18BGXx6MjzW0IliZ/Q70T6AHsuaEiEqKmEVbbbd/Com JyayQu7NyA8fuBhq1KRCrA3WjrAEfsV/yLQXVMsSdtbWodHpZ5RjFqhX95aBE9Ld CWtheuTm1xSuVVYq92VaJlT2aHlE/LK/nfSMPMqx1xBOHl1VbhuOvFVON6UIIYXg mPuYjmWXLIaEGYn6k8ZRcXCbZIvnPYPF3T1Jkp03m7RCCbMiQ1C7FQ65vmFwKtEi MqdoCcNWQIn4dM6Tb4/AwFDCj6Du+mJSusZvOCfMQt38GDES+iqndZAtXJ0YRUJG tES9pMq9NzeqtqyExROQFaoecLNHeJeWGQWLCrusUT5mdEHpjnl+WOkq+skUC1EJ khftjrd8KsbyNfGWN7/H =yegM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists