There is a problem in the pingback request feature
Researchers have disclosed a blind server-side request forgery (SSRF) vulnerability in a six-year-old WordPress core functionality that could lead to a distributed denial of service (DDoS) attack.
In a blog post published this week (September 6), Sonar researchers detailed how they were able to exploit a vulnerability in the pingback request functionality in WordPress.
The vulnerability first surfaced in 2017 and remains unpatched.
Pingback requests allow WordPress authors to be notified when another site links to their blog.
The pingback functionality is exposed on the XMLRPC API and can be accessed via a file. Using this method, other bloggers can announce pingbacks.
Read more latest news on web security breaches
Sonar researchers explained that this feature could allow attackers to perform DDoS attacks by maliciously asking thousands of bloggers to check pingbacks on a single victim’s server.
Although pingbacks can be turned off via a checkbox, they are still enabled on WordPress instances by default.
Notably, the researchers noted that they “couldn’t generally identify a way to exploit this behavior to take over a vulnerable instance without relying on other vulnerable services.”
Instead, the vulnerability mitigates the exploitation of other vulnerabilities in the affected organization’s internal network.
Sonar vulnerability researcher and blogger Thomas Chauchefoin told daily swig: “In 2012, the risks surrounding the pingback feature started to become known, and the WordPress maintainers restricted the destinations of such requests: they would be limited to a restricted set of ports, public IP addresses only, etc.
“Essentially, our findings allow bypassing some of these restrictions and locating hosts from the local network. Attackers can use it to send requests to otherwise unreachable hosts, for example, to exploit vulnerabilities in internal services.”
He added: “This bug exists in most lineages of CVEs associated with pingbacks, but the oldest indicator of how researchers have documented how to bypass this particular restriction is from 2017.”
do not miss it WordPress Warning: 140k BackupBuddy Installs Warned for File Read Vulnerability
SonarSource researchers disclosed the issue to WordPress on January 21. According to Sonar, the issue was identified as a duplicate bug and reported to the WordPress team in January 2017.
Chauchefoin added: “We reported the vulnerability through official channels on January 21st with a fairly standard 90-day disclosure policy. After agreeing to a 30-day extension, we reviewed the first patch still pending upstream merger .. Our publication comes 228 years after our initial report.”
A spokesperson for the WordPress security team told daily swig: “As stated in the Sonar blog post, this is a low impact issue and exploiting it requires”[chaining] It can lead to other vulnerabilities in third-party software”.
“As such, the security team considers this issue a lower priority.”
“Due to its low severity, the team is discussing whether this issue can be addressed publicly as a general reinforcement,” they added.
WordPress tells daily swig Exploiting the vulnerability requires “a vulnerability in multiple systems other than WordPress,” but it advises website owners to always use DNS servers provided by their hosting provider.
They added: “For pingbacks, users can turn off pingbacks. The XMLRPC endpoint will only make HTTP requests if pingbacks are turned on for pinged posts (details in the Sonar blog post).
“Site owners can (a) turn off pingbacks globally and/or (b) turn off pingbacks for their blog posts using the code snippet provided in the original post.”
Chauchefoin added: “It was exceptional for us to make the unpatched vulnerability public, a well thought out decision. As we have evidence that our findings conflict with previous public work, and require extensive work to weaponize against reality The environment of the world, we felt that no longer withholding details would only be detrimental to defenders.
“We would like to salute the efforts of the WordPress maintainers; even if we can’t achieve the best possible results, backporting a fix for the software behind 40% of a website is no easy feat!”
Last pingback question
In 2012, WordPress core fixed another vulnerability in the pingback request functionality that allowed DDoS attacks.
The issue reported by Acunetix could be abused in a number of ways, the researchers reported, and was fixed “as a public hardening ticket” in the WordPress Core release shortly after it was discovered.
recommended Vendor disputes severity of firewall plugin RCE vulnerability