Results 1 to 7 of 7

Thread: WordPress Doesn't Care About Security Issues - XML-RPC Exploits Still NOT Fixed 4.4.x

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Default WordPress Doesn't Care About Security Issues - XML-RPC Exploits Still NOT Fixed 4.4.x

    Hi Guys,

    If you run WordPress, you may want to help prevent a denial of service (DOS) attack against the server you're hosted on by installing the Disable XML-RPC Pingback Plugin on your WordPress installation. WordPress doesn't seem to want to fix the issue in their base code. This is a security issue. Bogus XML-RPC requests load the WordPress database several times in a short period of time which apparently uses a ton of resources on each initialization. Compound that with 4+ of the same bogus requests within a second, and your server load is off the charts. 4-5 requests per second shouldn't result in a denial of service especially since nginx is supposedly capable of handling 10,000+ simultaneous connections. Don't get too excited yet, it also affects apache2 just the same. I wouldn't hold out much hope though. WordPress doesn't seem interested in fixing this important problem. It affects all versions of WordPress including the latest 4.4.1 release.

    Pingbacks in general should be completely disabled by default in my opinion. It's a feature that has obviously not been well thought out or secured against attacks. What WordPress should really do is not process bogus pingback requests in the first place. It looks like the database schema may need optimization. WordPress needs to figure out a way to load the minimal amount of data as quickly as possible from the database to determine whether or not the pingback request being sent is bogus.

    I had to post about this here on X-null since my original forum thread has been closed and censored. I'm sure it will probably be deleted soon since I will be banned from WordPress, so just in case, I've saved it here.

    If anyone actually cares or just wants some hardly exciting drama, get out the popcorn now. I'm pretty sure I'm gonna get banned because I'm calling out the moderator that locked my thread here.
    Browse MOHAA Servers Post GameSpy Era

    VISIT MOHREBORN.COM FOR LATEST INFORMATION



    Medal of Honor: Game Server Browser Fixer - Patches your MOHAA, MOHSH, and MOHBT game binaries to allow you to retrieve a list of game servers within the multi-player menu in-game even after GameSpy ceases operation!

    Medal of Honor: Query Launcher - Find, browse, organize, join, get your ping, and get more information regarding all Medal of Honor (AA, SH, & BT) servers from your PC at any time!
    Medal of Honor: Web Server Master List - Find and browse all Medal of Honor servers online using your browser!
    Add your Medal of Honor Server to the Master List
    YouTube Video for Medal of Honor: Query Launcher and MOHAASERVERS.TK!



    MOHAA Mods and Utilities
    OwN-3m-All's Mods
    Make Me Stock - A program that allows you to easily move-in and move-out non-stock mods and other files at the click of a button. Automates adding / removing mods without having to copy / move files manually.



    Quality Game Servers

    Rent dedicated Dallas Texas, Kansas City, Las Vegas Nevada, Chicago, Pennsylvania, and Sofia Bulgaria MOHAA and other game servers from We Be HostiN starting at $10 a month.


  2. #2
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    Can you try tracing through that plugin/module to see where it's being exploited?

  3. #3

    Default

    Quote Originally Posted by James View Post
    Can you try tracing through that plugin/module to see where it's being exploited?
    The plugin disables the function(s) responsible for the logic behind handling these POST requests that put such a high load on the server. I could investigate it myself, but I don't really want to. The WordPress code base is kind of a mess. I could probably fix it myself if I really wanted to, but I'd just as soon quit using WordPress than invest time into this project when I have more important things to work on.

    But alas, maybe I will have to jump into action.

    I've just never seen such disregard from a development team for a security issue as important as this to not be looked at as quickly as possible. They're literally leaving the possibility for servers to be attacked open with every installation of WordPress. All it takes is a few hackers databasing and exploiting this attack to make servers work extra hard for no reason which becomes a denial of service for legit requests that are slowed to a crawl from the server being overworked.
    Browse MOHAA Servers Post GameSpy Era

    VISIT MOHREBORN.COM FOR LATEST INFORMATION



    Medal of Honor: Game Server Browser Fixer - Patches your MOHAA, MOHSH, and MOHBT game binaries to allow you to retrieve a list of game servers within the multi-player menu in-game even after GameSpy ceases operation!

    Medal of Honor: Query Launcher - Find, browse, organize, join, get your ping, and get more information regarding all Medal of Honor (AA, SH, & BT) servers from your PC at any time!
    Medal of Honor: Web Server Master List - Find and browse all Medal of Honor servers online using your browser!
    Add your Medal of Honor Server to the Master List
    YouTube Video for Medal of Honor: Query Launcher and MOHAASERVERS.TK!



    MOHAA Mods and Utilities
    OwN-3m-All's Mods
    Make Me Stock - A program that allows you to easily move-in and move-out non-stock mods and other files at the click of a button. Automates adding / removing mods without having to copy / move files manually.



    Quality Game Servers

    Rent dedicated Dallas Texas, Kansas City, Las Vegas Nevada, Chicago, Pennsylvania, and Sofia Bulgaria MOHAA and other game servers from We Be HostiN starting at $10 a month.


  4. #4
    Purple Developer Purple Elephant1au's Avatar
    Join Date
    Feb 2012
    Location
    Australia
    Posts
    1,269

    Default

    Interesting read..

    They do seem to be bit put off and reluctant to take responsibility for an error in their code, and yes there probably should be a better way for it to be tackled.

    The problem in their code doesn't seem to the be main issue thats coming from the thread tho, its more the fact that they know the exploit exists, but have no real desire to fix it which is bad, it would only take a couple developers a small amount of time to find some kind of fix, even if it is only temporary until REST API replaces it, which seems to be their main focus of it.

    I have a small VPS set up for uni work i needed for a subject which has wordpress installed, it will be interesting to see if it was exploited on my test website.

    Purple's Playground
    OBJ :
    103.29.85.127:12203
    xfire: purpleelephant1au
    email: purpleelephant1au@gmail.com
    skydrive: PurpleElephantSkydrive




  5. #5

    Default

    Quote Originally Posted by Purple Elephant1au View Post
    Interesting read..

    They do seem to be bit put off and reluctant to take responsibility for an error in their code, and yes there probably should be a better way for it to be tackled.

    The problem in their code doesn't seem to the be main issue thats coming from the thread tho, its more the fact that they know the exploit exists, but have no real desire to fix it which is bad, it would only take a couple developers a small amount of time to find some kind of fix, even if it is only temporary until REST API replaces it, which seems to be their main focus of it.

    I have a small VPS set up for uni work i needed for a subject which has wordpress installed, it will be interesting to see if it was exploited on my test website.
    You'll only see it being exploited under the following conditions:

    Someone is attacking you all the time sending the same pingback request (maybe 4 requests per second).
    Your server load is abnormally high.

    I've seen several IPs and connections trying to exploit this on my server

    I think I must have a lot of enemies or people who don't like me. haters gonna hate
    Browse MOHAA Servers Post GameSpy Era

    VISIT MOHREBORN.COM FOR LATEST INFORMATION



    Medal of Honor: Game Server Browser Fixer - Patches your MOHAA, MOHSH, and MOHBT game binaries to allow you to retrieve a list of game servers within the multi-player menu in-game even after GameSpy ceases operation!

    Medal of Honor: Query Launcher - Find, browse, organize, join, get your ping, and get more information regarding all Medal of Honor (AA, SH, & BT) servers from your PC at any time!
    Medal of Honor: Web Server Master List - Find and browse all Medal of Honor servers online using your browser!
    Add your Medal of Honor Server to the Master List
    YouTube Video for Medal of Honor: Query Launcher and MOHAASERVERS.TK!



    MOHAA Mods and Utilities
    OwN-3m-All's Mods
    Make Me Stock - A program that allows you to easily move-in and move-out non-stock mods and other files at the click of a button. Automates adding / removing mods without having to copy / move files manually.



    Quality Game Servers

    Rent dedicated Dallas Texas, Kansas City, Las Vegas Nevada, Chicago, Pennsylvania, and Sofia Bulgaria MOHAA and other game servers from We Be HostiN starting at $10 a month.


  6. #6
    Developer RyBack's Avatar
    Join Date
    Apr 2014
    Location
    In Front of the screen
    Posts
    1,603

    Default

    Maybe the WordPress team wants the exploit to exist?
    Like if they left that exploit for this purpose. Attack anybody's blog at anytime ?
    Like a kind of special power. They can use the exploit as long as it won't get famous. Once it does and more ppl are damaged they fix it.
    I like my theory

  7. #7

    Default

    when the people start to stop using the sofware they will fix

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •