Информационная безопасность
[RU] switch to
English Version

  

Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  XSS and Blind SQL Injection Vulnerabilities in ExponentCMS

  Chengdu Bureau of Commerce - SQL Injection Vulnerability

  Havalite CMS v1.0.4 - Multiple Web Vulnerabilities

  IPhone TreasonSMS - HTML Inject & File Include Vulnerability

From:MustLive <mustlive_(at)_websecurity.com.ua>
Date:23 апреля 2012 г.
Subject:DoS vulnerability in WordPress

Hello 3APA3A!


I want to warn you new about security vulnerability in WordPress.

This is Denial of Service vulnerability. Which exists in security functionality, which protects against Abuse of Functionality vulnerability in WordPress, which I've disclosed in 2009 and which was not fixed correctly.

-------------------------
Affected products:
-------------------------

If for previous AoF all versions of WordPress are vulnerable, then for DoS the versions 2.9 - 3.3.1 are vulnerable.

----------
Details:
----------

In WordPress 2.9 in December 2009, as was stated by developers of the engine [1], Abuse of Functionality vulnerability in WordPress [2] was fixed. Which could lead to DoS and in some cases to full takeover of the site (at presence of the installer at the site). WP developers said, that they made automated repairing of tables in DB.

But last month I've found Denial of Service vulnerability in this security functionality of the engine and later also checked, that repairing of tables in DB isn't automated. But only admin of the site, when found that his site isn't working, need to manually start the repairing of tables (by using of script repair.php, which was added to WP, so no need to use other software). I.e. AoF vulnerability, which I've wrote about in May 2009, just was not fixed. And still possible to conduct attacks through it.

DoS (WASC-10):

By constantly sending requests to script http://site/wp-admin/maint/repair.php (functions "Repair Database" and "Repair and Optimize Database") it's possible to create overload at the site (and the whole server). And the more data in site's DB, the more load from every request.

http://site/wp-admin/maint/repair.php?repair=1&_wpnonce=a4ca36d5ff

http://site/wp-admin/maint/repair.php?repair=2&_wpnonce=a4ca36d5ff

The attack will work at turned on WP_ALLOW_REPAIR in wp-config.php. Protection against CSRF (tokens) is bypassing, because for using of this functionality the authorization isn't required. So it's possible to get _wpnonce remotely and to conduct DoS attack.

------------
Timeline:
------------

2012.03.24 - found the vulnerability during security audit.
2012.04.12 - disclosed at my site [3].

----------------
References:
----------------

1. WordPress 2.9 (http://wordpress.org/development/2009/12/wordpress-2-9/).
2. Attack on Abuse of Functionality in WordPress (http://websecurity.com.ua/3152/).
3. DoS vulnerability in WordPress (http://websecurity.com.ua/5745/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород

 
 



Rating@Mail.ru