Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Wordpress Pingback Port Scanner
From: Vladimir Vorontsov <vladimir.vorontsov () onsec ru>
Date: Mon, 21 Jan 2013 13:59:01 +0400

Hi all!

BTW,


      WordPress XMLRPC pingback additional issues


http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

20.01.13, 0:03, Grandma Eubanks ?????:
From a quick couple minute cursory check, I do not see how login checks
differ from regular login and xmlrpc in regards to when a login limit
plugin is used.
Example is wordpress 3.5 and limit-login-attempts plugin.

wordpress 3.5 (class-wp-xmlrpc-server.php):
function login( $username, $password ) {
        ...

        $user = wp_authenticate($username, $password);

        if (is_wp_error($user)) {
            $this->error = new IXR_Error( 403, __( 'Incorrect username or
password.' ) );
            $this->error = apply_filters( 'xmlrpc_login_error',
$this->error, $user );
            return false;
        }

        wp_set_current_user( $user->ID );
        return $user;
    }


Wordpress 3.5 (wp-includes/pluggable.php):
function wp_authenticate($username, $password) {
        $username = sanitize_user($username);
        $password = trim($password);

        $user = apply_filters('authenticate', null, $username, $password);

       ...

        return $user;
}


limit-login-attempts (limit-login-attempts.php):
    add_action('wp_authenticate', 'limit_login_track_credentials', 10, 2);

And the xmprpc functions seem to check authentication before proceeding,
hitting this function anyway. Of course, it seems XFF might be fun in the
limit plugin, but that's another story.

On Sat, Jan 19, 2013 at 1:10 PM, Henri Salo <henri () nerv fi> wrote:

On Sat, Jan 19, 2013 at 08:53:24PM +0200, MustLive wrote:
And when WordPress developers turned in on in WordPress 3.5 they returned
the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web
sites
were vulnerable, which had turned it on, then since WP 3.5 all web sites
would be vulnerable again.
First of all I am impressed that you MustLive have studied this issue so
much and given valuable information to this mailing list. Thank you. I'll
bet you can give lot to the community if you start to find vulnerabilities
from important software and don't waste time to non-issues (not saying that
you haven't done this already in some level).

Could you give me references where WordPress developers enabled XML-RPC
again? In my opinion this is not wise decision. The interface should have
at least some kind of ACL enabled. I have no idea what is now allowed or is
there possibility to configure the interface. Last time I tested this
interface it did need authentication to do some of the tasks. I did not
check all of them.

- Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault