In het pingback-mechanisme van WordPress is een kwetsbaarheid ondekt (
pingback.ping API van
xmlrpc.php). Er zijn in ieder geval vier manieren bekend om dit te misbruiken, waarvan één zelfs kan leiden tot een distributed DoS (Denial of Service) aanval. Dit soort aanvallen staan bekend onder de noemer XSPA/SSRF (Cross Site Port Attack / Server Side Request Forgery). Bogdan Calin van Acunetix schrijft erover:
Recently somebody posted on Redit about a WordPress scanner that is taking advantage of a new WordPress vulnerability. The vulnerability is abusing the Pingback system, which is a well-known feature that’s used by a lot of bloggers.
WordPress has an XMLRPC API that can be accessed through the xmlrpc.php file. One of the methods exposed through this API is the pingback.ping method. With this method, other blogs can announce pingbacks. When WordPress is processing pingbacks, it’s trying to resolve the source URL, and if successful, will make a request to that URL and inspect the response for a link to a certain WordPress blog post. If it finds such a link, it will post a comment on this blog post announcing that somebody mentioned this blog post in their blog.
This can be abused in at least fours ways:
Lees verder bij Acunetix:
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 10 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.
Has this post saved you time, helped you solve a problem? Or do you think Saotn is just awesome? Then why not support us and make a small, one-time, donation?
A small donation supports us in research time, hosting costs, and growth.
Please buy me a cup of coffee ($2.5) to support these articles and posts.
Or use this link to enter your own donation amount. Thank you!
WordPress advisory: Akal premium theme XSS vulnerability & abandonded
Joomla! websites abused as open proxy for Denial-of-Service attacks
SSDP amplified reflective DDoS attacks
WordPress 3.9.2 Security Release fixes XML-RPC DoS
Mod_evasive on IIS
Huge increase in WordPress xmlrpc.php POST requests