OLX: load scripts DOS vulnerability

2019-09-13T14:58:42
ID H1:694467
Type hackerone
Reporter badis
Modified 2020-03-19T15:34:31

Description

1) vulnerability description

WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files automatically and return the contents of the file.

However, the number and size of files are not restricted in the process of loading JS files, attackers can use this function to deplete server resources and launch denial of service attacks.

(check references for more details about the vulnerability) 2) attack details

*affected link : http://blog.praca.olx.pl/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core&ver=4.9.1

*proof of concept ( description );

the load-scripts.php file was receiving a parameter called load[]. This parameter is an array that was receiving the names of the JS files that needed to be loaded. In this case, it was receiving jQuery UI Core, which is the name of one of the Javascript files used by the WordPress login page. (it can be longer, this is just an example) As no rate-limiting is setup for this URL - then DoS comes real

*proof of concept ( link ) ; http://blog.praca.olx.pl/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core&ver=4.9.1

3) how to fix

The web application firewall will mitigate attacks by adding the following to .htaccess -file:

<Files load-scripts.php>

Order allow, deny

Deny from all

</Files>

4) vulnerability classification:

*owasp 2017 top 10 (A9 Using Components with Known Vulnerabilities )

*CVE( Common Vulnerabilities and Exposures ) : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

5) references:

https://blog.threatpress.com/wordpress-vulnerability-dos/

https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html

Impact

Denial of service