Vulnerability so simple, anyone could use it. Security researchers have discovered a flaw in open source CMS WordPress that would allow a hacker to take down a website through a DoS attack with a single machine.
Security researchers have discovered a flaw in open source CMS WordPress that would allow a hacker to take down a website through a DoS attack with a single machine.
According a blog post, Israeli security researcher Barak Tawily said the flaw can be found in how “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.
The flaw exists in almost all versions of WordPress released in last nine years, including the latest one (Version 4.9.2). When the “load-scripts.php” WordPress script receives a parameter called load with value is ‘jquery-ui-core’. In the response, the CMS provides the JS module ‘jQuery UI Core’ that was requested.
“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user,” said Tawily.
While a single request would not overload a webserver, Tawily showed how a proof-of-concept (PoC) python script, called doser.py could make many concurrent requests and take down a server.
“Load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn’t respond at all any more, or returned 502/503/504 status code errors,” added Tawily.
The researcher contacted WordPress through HackerOne over the flaw. He said that after going back and forth about it a few times and trying to explain and provide a PoC, they refused to acknowledge it and claimed that: “This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control.”
“So if you are currently using, or are about to use, WordPress, I would highly recommend you use the patched version,” he added.
Lee Munson, security researcher for Comparitech.com, told SC Media UK that given no patch is available, or likely to be any time soon, the onus appears to be on bloggers to arrange their own DDoS protection through their web hosts, “something that may be beyond the budgets of hobbyists and newly started businesses”.
“With over a quarter of the sites on the web running on WordPress, it may be time for low traffic bloggers to consider an alternative content management system for their wordsmithing.”
Ben Herzberg, head of threat research at Imperva said that this new vulnerability effectively renders the WordPress core susceptible to DoS attacks.