#13 - Unpatched DoS Flaw on Wordpress

Although it may seem surprising a simple machine can make an attack ddos to your website.

The company denies vulnerability patching (CVE-2018-6389) which affects practically all wordpress versions of the last 9 years ... curious, and even stronger affecting the latest stable version (4.9.2) .

The vulnerability resides in the way "load-scripts.php," a built-in script in WordPress CMS, processes user-defined requests.

The basic definition of the load-scripts file is basically to allow the administrators of the website to improve the performance and load of the web by combining (on the server end) multiple JavaScript files into a single request.

The funny thing is that for load-scripts to work correctly in the admin login page (wp-login) before logging WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.

According to the plugins and modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the load parameter, separated by a comma, like in the following URL:

https://xyz.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

While loading the website, the 'load-scripts.php' tries to find each JavaScript file name given in the URL, append their content into a single file and then send back it to the user's web browser.

And how does the attack dos work?

For example, you can simply force load-scripts.php to call all possible JavaScript files in one go by passing their names into the above URL, making the targeted website slightly slow by consuming high CPU and server memory.

There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user.

But hey, it's not as simple as it seems. You need to use proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible and bring it down.

Obviously, the larger the website, the more attack power we will need and with it, a bigger bandwith. It remains alarming since a simple bot network with a normal bandwith on each of them could pull large servers with wordpress hosted without any problem.

Wordpress refuse to do anything, they say " that this kind of bug "should really get mitigated at the server end or network level rather than the application level," which is outside of WordPress's control.

And what's the solution?

Besides this, there is released a simple bash script that fixes the issue, in case you have already installed WordPress.

https://github.com/Quitten/WordPress/blob/master/wp-dos-patch.sh