Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DoS vulnerability in WordPress

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 16 Apr 2012 13:11:55 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/15/2012 02:55 PM, MustLive wrote:

DoS (WASC-10):

By constantly sending requests to script 
http://site/wp-admin/maint/repair.php (functions "Repair Database"
and "Repair and Optimize Database") it's possible to create
overload at the site (and the whole server). And the more data in
site's DB, the more load from every request.

http://site/wp-admin/maint/repair.php?repair=1&_wpnonce=a4ca36d5ff

http://site/wp-admin/maint/repair.php?repair=2&_wpnonce=a4ca36d5ff

The attack will work at turned on WP_ALLOW_REPAIR in
wp-config.php. Protection against CSRF (tokens) is bypassing,
because for using of this functionality the authorization isn't
required. So it's possible to get _wpnonce remotely and to conduct
DoS attack.


This appears to be intended functionality, by default I get:

"To allow use of this page to automatically repair database problems,
please add the following line to your wp-config.php file. Once this
line is added to your config, reload this page.
define('WP_ALLOW_REPAIR', true);"

So either an admin has to specifically configure this to allow it
anonymously, or exploitation requires administrative access. I don't
see any trust boundary being violated here.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjG77AAoJEBYNRVNeJnmTKWUQAIE5a0yRHp3AZMKhc1aCWYKb
BgCvGp6qD+54kNvjYcGqfGh6LalZJeYm/1zYMtWyrXFptlCElCobDfWvVS5EUx3X
gSwyIgrh630Iy1IEpwdmAZzBGQ/wiHx3E+00zvNrbyeGzrHdiem6+zT1A/EbElum
d5wga4iyctFFkdCCIfbE9YfLzGyZG0CGjNNyR9EuURQ2RPJV9ldfrCjtjD4jIqI3
PBIcMzfysDMIqLRXB8Tf+462Ux4iHW/FieXOaoG0N+1+Gq+P3/spBJlMOG6AWGzl
h7/yQbsCbFzYTL5mFWaZu18BGXx6MjzW0IliZ/Q70T6AHsuaEiEqKmEVbbbd/Com
JyayQu7NyA8fuBhq1KRCrA3WjrAEfsV/yLQXVMsSdtbWodHpZ5RjFqhX95aBE9Ld
CWtheuTm1xSuVVYq92VaJlT2aHlE/LK/nfSMPMqx1xBOHl1VbhuOvFVON6UIIYXg
mPuYjmWXLIaEGYn6k8ZRcXCbZIvnPYPF3T1Jkp03m7RCCbMiQ1C7FQ65vmFwKtEi
MqdoCcNWQIn4dM6Tb4/AwFDCj6Du+mJSusZvOCfMQt38GDES+iqndZAtXJ0YRUJG
tES9pMq9NzeqtqyExROQFaoecLNHeJeWGQWLCrusUT5mdEHpjnl+WOkq+skUC1EJ
khftjrd8KsbyNfGWN7/H
=yegM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: