Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wordpress Pingback Port Scanner

From: Grandma Eubanks <tborland1 () gmail com>
Date: Sat, 19 Jan 2013 14:03:36 -0600
From a quick couple minute cursory check, I do not see how login checks

differ from regular login and xmlrpc in regards to when a login limit
plugin is used.
Example is wordpress 3.5 and limit-login-attempts plugin.

wordpress 3.5 (class-wp-xmlrpc-server.php):
function login( $username, $password ) {
        ...

        $user = wp_authenticate($username, $password);

        if (is_wp_error($user)) {
            $this->error = new IXR_Error( 403, __( 'Incorrect username or
password.' ) );
            $this->error = apply_filters( 'xmlrpc_login_error',
$this->error, $user );
            return false;
        }

        wp_set_current_user( $user->ID );
        return $user;
    }


Wordpress 3.5 (wp-includes/pluggable.php):
function wp_authenticate($username, $password) {
        $username = sanitize_user($username);
        $password = trim($password);

        $user = apply_filters('authenticate', null, $username, $password);

       ...

        return $user;
}


limit-login-attempts (limit-login-attempts.php):
    add_action('wp_authenticate', 'limit_login_track_credentials', 10, 2);

And the xmprpc functions seem to check authentication before proceeding,
hitting this function anyway. Of course, it seems XFF might be fun in the
limit plugin, but that's another story.

On Sat, Jan 19, 2013 at 1:10 PM, Henri Salo <henri () nerv fi> wrote:


On Sat, Jan 19, 2013 at 08:53:24PM +0200, MustLive wrote:

And when WordPress developers turned in on in WordPress 3.5 they returned
the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web

sites

were vulnerable, which had turned it on, then since WP 3.5 all web sites
would be vulnerable again.


First of all I am impressed that you MustLive have studied this issue so
much and given valuable information to this mailing list. Thank you. I'll
bet you can give lot to the community if you start to find vulnerabilities
from important software and don't waste time to non-issues (not saying that
you haven't done this already in some level).

Could you give me references where WordPress developers enabled XML-RPC
again? In my opinion this is not wise decision. The interface should have
at least some kind of ACL enabled. I have no idea what is now allowed or is
there possibility to configure the interface. Last time I tested this
interface it did need authentication to do some of the tasks. I did not
check all of them.

- Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: