Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Wordpress Exploit

Hybrid View

  1. #1

    Wordpress Exploit

    The latest version of Wordpress is exploitable by what seems to be an 0day exploit. There is no patch on wordpress.org. Here's the actual exploit:
    pastebin - collaborative debugging tool

    It looks like it's an issue in wp-trackback.php

    Temporarily disabling trackbacks should be a work around for now. Nothing has been testing though....
    Submit Your Proxies @ NewProxySites.com

  2. #2
    Update: I just tested it on my server and it hurts. Dirty exploit:

    top - 13:29:56 up 36 days, 1:06, 12 users, load average: 45.95, 13.40, 4.66

    I'm working on a workaround...and

    <Files ~ "wp-trackback.php">
    Order allow,deny
    Deny from all
    </Files>


    Add that to your apache config file to disallow wp-trackback.php on every site hosted on the server.

    A nasty workaround, but will help until a real fix is out.
    Submit Your Proxies @ NewProxySites.com

  3. #3
    I made a post about it on my blog:
    New 0-Day Wordpress Exploit | Steve Fortuna
    Submit Your Proxies @ NewProxySites.com

  4. #4
    Imagine if they change to this.

    PHP Code:
    for($n 0$n <= 10000000$n++){

    //fputs attack  stuff


    It will loop 10 million times. Imagine if they put usleep(); at a Quarter second to prevent crashing your server, then hitting page over and over for oh about 7 days. You will have a page with 2,419,200 tackback comment on it saying "lol", now imagine having to delete that shit to clean up. Priceless. xD
    Hopefully wordpress has some of mechasim to block repeated trackbacks from the same IP...
    Submit new proxies -

  5. #5
    I have come up with a fix for this exploit. It's posted on my blog, linked above.
    Submit Your Proxies @ NewProxySites.com

  6. #6
    Quote Originally Posted by nux View Post
    I have come up with a fix for this exploit. It's posted on my blog, linked above.
    What is $charset and does check if it greater then 50 characters stop the attack?
    Submit new proxies -

  7. thanks guys. i'm adding the code. dyou have any idea when will wp fix be release?


  8. #8
    the problem is in this function: PHP: mb_convert_encoding - Manual

    what the exploit does is tell the server that there's thousands of charsets to convert it to the fix limits the input on the charset value to 50 chars. I tested on my server and it works. 50 might be too much anyways, but it stops the exploit
    Submit Your Proxies @ NewProxySites.com

  9. #9
    okay, I think I understand. So wp-trackback accept a Character encoding with a var called $_POST['charset'],
    with this code they generate thousands of things saying "UTF-8"
    $charset = str_pad($charset,140000,"UTF-8,");

    for a payload to mb_convert_encoding, which will loop over then thousands of times. Running up the load on the server.
    So I guess checking if $charset is less then 50 might work and is probably too much anways. Must character encodign name will around 10 char right?
    Looks good..

    Keldorn.
    Submit new proxies -

  10. #10
    @nux
    can you show where exactly in wp-trackback.php have we to paste the following code as mentioned by you in your blog post :
    Code:
    if(strlen($charset) > 50)
    die;
    I understand line 47 but to be precise
    I mean, before what and after what piece of code should it come/appear.

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 19
    Last Post: 9 July, 2011, 06:44 AM
  2. Replies: 0
    Last Post: 1 December, 2009, 16:30 PM
  3. Fix Proxy Listing Exploit
    By chetan in forum Web Proxies
    Replies: 24
    Last Post: 25 September, 2009, 18:34 PM
  4. iPhone Exploit Exposed at Black Hat
    By m42 in forum Tech-Talk
    Replies: 5
    Last Post: 1 August, 2009, 12:03 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •