Full Disclosure mailing list archives
Brute Force vulnerability in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 25 Mar 2012 23:45:33 +0300
Hello list! There are many vulnerabilities in WordPress which exist from version 2.0, or even from 1.x versions, and still not fixed. So I want to warn you about one of such holes. It's Brute Force vulnerability via XML-RPC functionality in WordPress. ------------------------- Affected products: ------------------------- Vulnerable are WordPress 3.3.1 and previous versions. ---------- Details: ---------- Brute Force (WASC-11): http://site/xmlrpc.php In this functionality there is no protection against Brute Force attack. At sending of corresponding POST-requests it's possible to pick up password. Note, that since WordPress 2.6 the XML-RPC functionality is turned off by default. WP developers did it due to vulnerabilities (such as SQL Injection and others), which were found in this functionality, i.e. not motivating it as counteraction to Brute Force, but it worked also as protection against Brute Force attack. So this issue doesn't concern those who uses WordPress since version 2.6 with default settings. But those who needs to use XML-RPC, those will have Brute Force vulnerability, because the developers didn't make reliable protection against it. Earlier in 2008 and 2010 years I've already wrote about Brute Force vulnerabilities in WordPress (http://websecurity.com.ua/2007/ and http://websecurity.com.ua/4016/ SecurityVulns ID: 10677) and it's another such vulnerability. Besides them there is also known BF attack not via login form, but with using of authorization cookie (when by setting different cookies it's possible to pick up password). ------------ Timeline: ------------ 2012.03.20 - disclosed at my site. I mentioned about this vulnerability at my site (http://websecurity.com.ua/5723/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Brute Force vulnerability in WordPress MustLive (Mar 25)
- Re: Brute Force vulnerability in WordPress InterN0T Advisories (Mar 25)
- Re: Brute Force vulnerability in WordPress Christopher Truncer (Mar 25)
- Re: Brute Force vulnerability in WordPress Zach C. (Mar 25)
- Re: Brute Force vulnerability in WordPress Thor (Hammer of God) (Mar 25)
- Re: Brute Force vulnerability in WordPress MustLive (Mar 28)
- Re: Brute Force vulnerability in WordPress Christian Sciberras (Mar 28)
- Re: Brute Force vulnerability in WordPress InterN0T Advisories (Mar 25)