[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] DoS vulnerability in WordPress



Hello list!

I want to warn you new about security vulnerability in WordPress.

This is Denial of Service vulnerability. Which exists in security
functionality, which protects against Abuse of Functionality vulnerability
in WordPress, which I've disclosed in 2009 and which was not fixed
correctly.

-------------------------
Affected products:
-------------------------

If for previous AoF all versions of WordPress are vulnerable, then for DoS
the versions 2.9 - 3.3.1 are vulnerable.

----------
Details:
----------

In WordPress 2.9 in December 2009, as was stated by developers of the engine
[1], Abuse of Functionality vulnerability in WordPress [2] was fixed. Which
could lead to DoS and in some cases to full takeover of the site (at
presence of the installer at the site). WP developers said, that they made
automated repairing of tables in DB.

But last month I've found Denial of Service vulnerability in this security
functionality of the engine and later also checked, that repairing of tables
in DB isn't automated. But only admin of the site, when found that his site
isn't working, need to manually start the repairing of tables (by using of
script repair.php, which was added to WP, so no need to use other software).
I.e. AoF vulnerability, which I've wrote about in May 2009, just was not
fixed. And still possible to conduct attacks through it.

DoS (WASC-10):

By constantly sending requests to script
http://site/wp-admin/maint/repair.php (functions "Repair Database" and
"Repair and Optimize Database") it's possible to create overload at the site
(and the whole server). And the more data in site's DB, the more load from
every request.

http://site/wp-admin/maint/repair.php?repair=1&_wpnonce=a4ca36d5ff

http://site/wp-admin/maint/repair.php?repair=2&_wpnonce=a4ca36d5ff

The attack will work at turned on WP_ALLOW_REPAIR in wp-config.php.
Protection against CSRF (tokens) is bypassing, because for using of this
functionality the authorization isn't required. So it's possible to get
_wpnonce remotely and to conduct DoS attack.

------------
Timeline:
------------

2012.03.24 - found the vulnerability during security audit.
2012.04.12 - disclosed at my site [3].

----------------
References:
----------------

1. WordPress 2.9 (http://wordpress.org/development/2009/12/wordpress-2-9/).
2. Attack on Abuse of Functionality in WordPress
(http://websecurity.com.ua/3152/).
3. DoS vulnerability in WordPress (http://websecurity.com.ua/5745/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/