mailing list archives
Re: Wordpress Pingback Port Scanner
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 19 Jan 2013 20:53:24 +0200
It's good that you've drew attention on possibility of port scanning and
made nice software for abusing this WP feature.
But I want to remind about another vulnerability in XML-RPC, which I've
disclosed in 2012. The most important hole in WordPress XML-RPC is Brute
I've wrote on example of WordPress, but it concerns every web application
with in XML-RPC support. To BF are vulnerable all versions of WP, but since
WordPress 2.6 XML-RPC was turned on by default.
And when WordPress developers turned in on in WordPress 3.5 they returned
the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web sites
were vulnerable, which had turned it on, then since WP 3.5 all web sites
would be vulnerable again.
The interesting part with Brute Force attacks via XML-RPC and the same with
Atom Publishing Protocol (to which vulnerable are WP 2.3 - 3.4.2), this hole
I've also disclosed in 2012 (http://securityvulns.ru/docs27917.html,
as I've wrote at my site - it's better reliability then brute forcing via
login form. Because unlike login form (for which there are plugins to
protect against BF), no plugins can protect against attacks via XML-RPC and
WP developers removed AtomPub from the core (made it as a plugin), so they
"removed" this BF hole from the core, but at that they enabled BF hole via
XML-RPC (plus added port scanning functionality). Such wise decision :-).
Best wishes & regards,
Administrator of Websecurity web site
From: FireFart_(at)_gmail.com <FireFart_(at)_gmail.com>
Subject: Wordpress Pingback Port Scanner
Wordpress 3.5 has it's XML-RPC Interface enabled by default. See here for
I read through the article and took a look at the Pinback API since it is
public available on many Wordpress installations.
The cool thing is: you can do a port scan using the Pingback API
You can even scan the server itself or discover some hosts on the internal
Network this server is on.
So i wrote this little Ruby Script to utilize this "feature":
You can even use multiple Wordpress XML-RPC Interfaces to scan a single
host so this can be some kind of distributed port scanning.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Wordpress Pingback Port Scanner MustLive (Jan 19)