DoS vulnerability in WordPress

2012-04-23T00:00:00
ID SECURITYVULNS:DOC:27968
Type securityvulns
Reporter Securityvulns
Modified 2012-04-23T00:00:00

Description

Hello 3APA3A!

I want to warn you new about security vulnerability in WordPress.

This is Denial of Service vulnerability. Which exists in security functionality, which protects against Abuse of Functionality vulnerability in WordPress, which I've disclosed in 2009 and which was not fixed correctly.


Affected products:

If for previous AoF all versions of WordPress are vulnerable, then for DoS the versions 2.9 - 3.3.1 are vulnerable.


Details:

In WordPress 2.9 in December 2009, as was stated by developers of the engine [1], Abuse of Functionality vulnerability in WordPress [2] was fixed. Which could lead to DoS and in some cases to full takeover of the site (at presence of the installer at the site). WP developers said, that they made automated repairing of tables in DB.

But last month I've found Denial of Service vulnerability in this security functionality of the engine and later also checked, that repairing of tables in DB isn't automated. But only admin of the site, when found that his site isn't working, need to manually start the repairing of tables (by using of script repair.php, which was added to WP, so no need to use other software). I.e. AoF vulnerability, which I've wrote about in May 2009, just was not fixed. And still possible to conduct attacks through it.

DoS (WASC-10):

By constantly sending requests to script http://site/wp-admin/maint/repair.php (functions "Repair Database" and "Repair and Optimize Database") it's possible to create overload at the site (and the whole server). And the more data in site's DB, the more load from every request.

http://site/wp-admin/maint/repair.php?repair=1&_wpnonce=a4ca36d5ff

http://site/wp-admin/maint/repair.php?repair=2&_wpnonce=a4ca36d5ff

The attack will work at turned on WP_ALLOW_REPAIR in wp-config.php. Protection against CSRF (tokens) is bypassing, because for using of this functionality the authorization isn't required. So it's possible to get _wpnonce remotely and to conduct DoS attack.


Timeline:

2012.03.24 - found the vulnerability during security audit. 2012.04.12 - disclosed at my site [3].


References:

  1. WordPress 2.9 (http://wordpress.org/development/2009/12/wordpress-2-9/).
  2. Attack on Abuse of Functionality in WordPress (http://websecurity.com.ua/3152/).
  3. DoS vulnerability in WordPress (http://websecurity.com.ua/5745/).

Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua