29% of websites are vulnerable to a DOS attack even by one machine (CVE-2018-6389)

It is important to note that exploiting this vulnerability is illegal, unless you have permission from the website owner.

A simple but very serious application-related denial-of-service (DoS) attack was discovered in the WordPress CMS platform, which allows any user to disable most WordPress websites even with a single machine. This happens without the need to use a huge number of computers for bandwidth overflow, as required by DDoS-attacks, but with the achievement of the same result.

Because the WordPress Foundation refused to fix the problem, the vulnerability ( CVE-2018-6389 ) remains without a patch and affects almost all versions of WordPress released over the past nine years, including the latest stable (WordPress version 4.9.2).
')
Barak Tawily , an Israeli security researcher, discovered a vulnerability, the essence of which is that “load-scripts.php” , the built-in script in WordPress CMS, handles user requests.

As planned by the developers, the load-scripts.php file is intended only for administrators and was created to help the website improve performance and load the page faster by combining (on the server) several JavaScript files in one request.

However, in order for “load-scripts.php” to work on the administrator's login page (wp-login.php) before logging in to the system, WordPress developers do not have an authentication mechanism, with the result that the feature is available to everyone.



Depending on the plugins and modules that you installed, the load-scripts.php file selectively calls the necessary JavaScript files, passing their names to the “load” parameter, separated by commas, for example, the following URL:

https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

When loading the website “load-scripts.php”, it tries to find each name of the JavaScript file specified in the URL, add its contents to one file and then send it to the user's browser.

How WordPress DoS Attack Works

According to the researcher, you can get load-scripts.php to call all possible JavaScript files (181 scripts in total) in one pass, passing their names to the above URL. This will make the target site work a little slower, requiring high costs on the part of the processor and server memory.

“There is a well-defined list ($ wp_scripts) that can be requested by users as part of the load [] parameter. If the requested value exists, the server will perform the necessary I / O read operations, ”says Tawily.

Although a single request would not be enough to “put” the entire site for all visitors, Tawily used python scripts to create a proof-of-concept (PoC). The doser.py created by it makes a large number of simultaneous requests to the same URL in an attempt to use as many server resources as possible and to minimize the resources available to other users.

Hacker News verified the authenticity of the DoS-exploit by successfully putting one of the WordPress demo sites running on a medium-sized VPS.

“Load-scripts.php does not require any authentication, any anonymous user can do this. After about 500 requests, the server no longer answered or returned 502/503/504 status errors in the code, says Tawily.

However, attacks from a single machine with a connection of up to 40 Mbps were not enough to cause a denial of service on another demo web site running on a dedicated server with high computing power and large memory.



This does not mean that the flaw is not effective against WordPress websites running on a powerful server , since an attack at the application level usually requires a much smaller number of packages and bandwidth to achieve the goal of attackers.

Thus, hackers with more bandwidth or a few bots can use this vulnerability to attack the large and popular WordPress websites.

No Patch - Mitigation Guide

Along with full disclosure, Tawily also provided a video demonstration of the attack. You can watch the video to see the attack in action.

Knowing that DoS vulnerabilities are beyond the bug bounty program for the WordPress, Tawily responsibly reported this DoS vulnerability to the WordPress team through the HackerOne platform.

However, the company refused to acknowledge this problem, stating that such an error was beyond WordPress control and “should be mitigated at the server level or at the network level, and not at the application level”.

The vulnerability seems serious because about 29% of sites on the Internet use WordPress. This makes millions of sites vulnerable to hackers and potentially inaccessible to their users.

For sites that cannot afford services that offer protection against application-level attacks, the researcher has provided a WordPress forked version that contains a patch for this vulnerability. However, you should consider the risks of installing a modified CMS, even if you consider the source to be reliable. In addition, the researcher also released a simple bash script that fixes a problem in an already installed WordPress.