DDoS attack that affects all versions of WordPress

All versions of the last 9 years are vulnerable

0 179

Thehackernews.com website published a vulnerability last month that allows a simple but serious DDoS attack in WordPress. The vulnerability allows the attack to succeed even with a machine, without consuming a large amount of bandwidth.

The vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress published in the last nine years, including the latest stable version of WordPress (Version 4.9.4). Discovered by Israeli security researcher Barak Tawily, the vulnerability lies in loading the file “load-scripts.php”.

The load-scripts.php file was only designed so that administrators can improve performance and load the page faster, by combining several JavaScript files into a single request.

However, to make “load-scripts.php” work on the administrator login page (wp-login.php) before logging in, WordPress authors did not keep any authentication in place, which eventually made the function accessible to anyone.

ataque DDoS en WordPress

Depending on the add-ons and modules that are installed, the load-scripts.php file selectively calls the necessary JavaScripts by passing their names to the “load” parameter, separated by a comma, as in the following:


How WordPress DDoS Attack works

Error causado por ataque DDoS en WordPress

According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (that is, 181 scripts) at one time by passing their names to the previous URL, causing the target website to be slightly slow consuming a large CPU and server memory.

“There is a well-defined list ($ wp_scripts), which users can request as part of the load [] parameter. If the requested value exists, the server will perform an I / O reading action for a well-defined path associated with the value supplied by the user, “says Tawily.

Although a single application is not enough to tear down a whole website. Tawily used a test python script. This makes a large number of concurrent requests to the same URL in an attempt to use exhausting the server’s CPU resources.

The Hacker News has verified the authenticity of the DDoS exploit. Which left out service one of their test websites, which run on a medium VPS.

“It’s time to mention once again that load-scripts.php does not require any authentication, an anonymous user can do it. ~ After 500 requests, the server did not respond at all, or returned a 503 error, sometimes 502 or 504 “says Tawily.

However, the attack from a single machine, with a connection of 40 Mbps, was not enough to knock down another demonstration website on a dedicated server with high processing capacity and memory.

Error causado por ataque DDoS en WordPress

This does not mean that the failure is not effective against websites that run on a shared server. Such an attack generally requires much less packets and bandwidth to knock out the server. Therefore, attackers with more bandwidth or some bots can exploit attacking large and popular sites.

DDoS Attack Mitigation Guide

Along with full disclosure, Tawily has also provided a video demonstration of the DDoS attack. You can watch the following video to see the attack in action:

DDoS vulnerabilities are beyond the reach of the WordPress bug rewards program. In any case Tawily responsibly reported this vulnerability to the WordPress team, through HackerOne. However, the company refused to acknowledge the problem. He also said that this error “should be mitigated at the level of the server or the network, instead of the application.”

The vulnerability seems to be serious because WordPress is the CMS present in 29% of all existing web pages. This places millions of websites vulnerable to cyber attacks.

For websites that can not afford the services that offer protection against a DDoS attack in the application layer, the researcher has provided a bifurcated version of WordPress, which includes mitigation against this vulnerability.

In addition to this, the researcher has also launched a simple script bash that solves the problem, in case you have already installed WordPress.

Leave A Reply

Do NOT follow this link or you will be banned from the site!