WordPress Pingback Vulnerability

Recently somebody posted on Reddit about a WordPress scanner that is taking advantage of a new WordPress vulnerability. The vulnerability is abusing the Pingback system, which is a well-known feature that's used by a lot of bloggers.

What is a Pingback?

Quoting Wikipedia: A pingback is one of three types of linkbacks, methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles. Some weblog software, such as Movable Type, Serendipity, WordPress, and Telligent Community, support automatic pingbacks where all the links in a published article can be pinged when the article is published.

WordPress has an XMLRPC API that can be accessed through the xmlrpc.php file. One of the methods exposed through this API is the pingback.ping method. With this method, other blogs can announce pingbacks. When WordPress is processing pingbacks, it's trying to resolve the source URL, and if successful, will make a request to that URL and inspect the response for a link to a certain WordPress blog post. If it finds such a link, it will post a comment on this blog post announcing that somebody mentioned this blog post in their blog.

This can be abused in at least fours ways:

  1. WordPress is trying to resolve the Source URL and will return different error messages if the Source URL exists (host exists) or not. This can be abused by attackers to try to guess hosts inside the internal network. The attackers can use URLs like http://subversion/ or  http://bugzilla/or http://dev/to see if these hosts exist in the internal network.
  2. If the Source URL is resolved, WordPress will try to connect to the port specified in the URL. Therefore, if an attacker will use a URL like http://subversion:22/, WordPress will try to connect to the host subversion on port 22. The responses are different if the port is open or closed.  Therefore, this functionality can be used to port scan hosts inside the internal network.
  3. This can also be used for distributed DOS (Denial of Service) attacks. An attacker can contact a large number of blogs and ask them to pingback a target URL. All of these blogs will attack the target URL.
  4. From the tests I've carried out, I've seen that WordPress is also supporting URLs with credentials. So, an attacker can use a URL like http://admin:admin@192.168.0.1/changeDNS.asp?newDNS=aaaa to reconfigure the internal router like in the email hack attack.

I've made some screenshots to demonstrate how WordPress is returning different error messages for valid and invalid hosts/ports.

Invalid Host

Invalid Host WordPress Pingback Vulnerability

 Valid Host

Valid Host WordPress Pingback Vulnerability

I've implemented an Acunetix WVS script to test this vulnerability. This script will try to resolve various common internal hosts and try to connect to common ports. In the end, it will report the successful attempts. The script is available in the latest build (20121213) of Acunetix WVS. A sample alert looks like this:

Wordpress Pingback Vulnerability Alert

How do you protect against this vulnerability? Currently there is no fix. Disabling pingbacks and trackbacks from the Discussion Settings page doesn't fix the problem either. The issue was reported to the WordPress Team and will probably be fixed soon. Until then, you can rename/delete the xmlrpc.php file. Please let me know if you have a better workaround.

** Note: The issue described in this article has been addressed in WordPress 3.5.1.

ShareShare on FacebookTweet about this on TwitterShare on Google+

Leave a Reply


*

  1. Adwiteeya Agrawal

    Ahan!! Great work. Thumbs up. :)

    December 17, 2012 at 2:18 pm Reply
    • Bogdan Calin

      Thanks Adwiteeya.

      December 17, 2012 at 2:21 pm Reply
  2. guly

    actually in my overnight tests i found that a blog post where trackbacks are disabled isn’t vulnerable. disabling it worked as a fix for my test installation, of course YMMV.

    December 17, 2012 at 5:19 pm Reply
    • Bogdan Calin

      That’s not my experience. In my case it worked even if trackbacks were disabled. I’ve tested on WordPress 3.5.

      December 17, 2012 at 5:44 pm Reply
  3. Pingback: WordPress Pingback Vulnerability Could Lead to to DDoS Attacks « Wordpress « Wordpress Skills

  4. Pingback: WordPress Pingback Vulnerability Could Lead to to DDoS Attacks | Wordpress news and updates

  5. Pingback: Pingback Bug in Wordpress Can Be Leveraged in DDoS Attack, Router Reconfiguration | HOTforSecurity

  6. Pingback: Wordpress pingback: falla permette attacchi DDoS! - Capn3m0 WebSecurity

  7. Interesting. This is a classic case of XSPA/SSRF (Cross Site Port Attack/Server Side Request Forgery). A lot of research has now been conducted into specific instances of this vulnerability with PoC from several popular web applications.
    http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html
    https://media.blackhat.com/ad-12/Walikar/bh-ad-12-pokingserverswithFacebook-Walikar-WP.pdf
    http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf
    https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit

    December 19, 2012 at 5:30 am Reply
    • Bogdan Calin

      Thanks Riyaz. I was aware of some of those papers but not all of them.

      In this case only the http:// scheme is supported, it’s not possible to use dict/gopher/…

      December 19, 2012 at 6:06 am Reply
  8. Pingback: Bezpečnostní chyba ve WordPressu 3.5 - WP-blog

  9. Pingback: Pingback in Wordpress ermöglicht Portscan und DDoS | WebDataSec

  10. Pingback: {EN} – WordPress Pingback Vulnerability Serves DDoS attack feature | Hack-Actus

  11. Pingback: WordPress Pingback Vulnerability Serves DDoS attack feature | THEROS INFOSEC FORUM

  12. Pingback: WordPress Pingback Vulnerability Serves DDoS attack feature « Engineering Evil

  13. Buntell

    Great work!
    Thank you for sharing.

    December 20, 2012 at 12:16 am Reply
  14. Pingback: Philippines news: WordPress vulnerability opens the door to DDOS attacks | Pinas news library

  15. Pingback: WordPress Security Warning: Pingback Vulnerability & Temporary Fix

  16. chrismccoy

    what if you disable xmlrpc?

    add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

    December 20, 2012 at 1:28 pm Reply
    • Bogdan Calin

      Yes, that would work but has the same effect as renaming the file xmlrpc.php to something else.

      December 20, 2012 at 1:48 pm Reply
  17. kof2002

    nice job

    December 20, 2012 at 1:58 pm Reply
    • Bogdan Calin

      Very cool. I wasn’t aware about your blog post.

      December 20, 2012 at 2:37 pm Reply
  18. Pingback: WordPress Security Warning: Pingback Vulnerability & Temporary Fix | Wordpress news and updates

  19. Pingback: WordPress LAN Recon | TechSNAP | Jupiter Broadcasting

  20. Pingback: WordPress Security Warning: Pingback Vulnerability & Temporary Fix

  21. Pingback: WordPress Security Warning: Pingback Vulnerability & Temporary Fix « Wordpress « Wordpress Skills

  22. Barry van Someren

    You can simplify this with a simple deny clause in your .htaccess file (Apache compatible only)

    Example:

    Deny from all

    Save the file and the site should still function, but all requests to xmlrpc.php will get a 403 forbidden.

    December 21, 2012 at 8:24 am Reply
    • Bogdan Calin

      Deny from all will restrict access to all files.

      December 21, 2012 at 8:28 am Reply
      • Barry van Someren

        Hi,

        Yes I crafted a very specific config stanza, but apparently the comment filter filtered out my XML and only left the Deny from all.

        /facepalm

        It also didn’t allow me to edit my comment

        /double facepalm

        Basically look at the docs for an idea:

        http://httpd.apache.org/docs/2.2/mod/core.html#files

        You need to specify “files xmlrpc.php” with just the Deny from all

        December 21, 2012 at 8:39 am Reply
        • Bogdan Calin

          you have to be careful with .htaccess :)

          December 21, 2012 at 8:48 am Reply
        • The same (something similar) can be accomplished with web.config on IIS 7.5 web servers or .htaccess if something like ISAPI_Rewrite is installed on IIS. Just rewrite and/or the requests to xmlrpc.php:

          IIS web.config (Request Filtering):

          ISAPI_Rewrite .htaccess (you can’t use “deny sequences” with ISAPI_Rewrite):
          RewriteCond %{REQUEST_URI} (xmlrpc\.php) [NC]
          RewriteRule .? / [F,L]

          As Bogdan said, be careful with .htaccess and read the article “htaccess files should not be used for security restrictions” on this blog.

          December 22, 2012 at 7:42 pm Reply
          • Hmm, couldn’t use < %gt; for Request Filtering. Perhaps HTML encoded will work, if not I’m sorry :)

            <system.webServer>
            <security>
            <requestFiltering>
            <denyUrlSequences>
            <add sequence=”xmlrpc.php” />
            </denyUrlSequences>
            </requestFiltering>
            </security>
            </system.webServer>

            December 22, 2012 at 7:45 pm
  23. Pingback: technologyruck.us – WordPress Pingback Vulnerability Serves DDoS attack feature

  24. Pingback: WordPress - Une vulnérabilité du PingBack permet des attaques DDoS massives | UnderNews

  25. Pingback: The WordPress Weekend Roundup - WP Daily

  26. Pingback: On Blogging: Are Pingbacks A Pesky Problem? | Mirth and Motivation

  27. Pingback: Spätné upozornenia robia WordPress zraniteľným « WordPress Slovensko

  28. Pingback: Cómo proteger WordPress de la “vulnerabilidad Pingback” descargar gratis | Zonadictz

  29. Pingback: Building the site |

  30. Pingback: Perishable Press : Perlindungan bagi Kerentanan Pingback WordPress | Pernando "cybrog" Ritonga

  31. Bob

    You misspelled ‘Reddit’

    January 13, 2013 at 9:43 am Reply
  32. Pingback: Daca wordpressul merge greu pe unele siteuri hostate pe servere ubuntu/debian xmlrpc trebuie dezactivat | LUG Mureş

  33. Pingback: 关于WordPress xmlrpc.php Pingback缺陷与SSRF攻击 | EVILCOS

  34. Pingback: 关于WordPress xmlrpc.php Pingback缺陷与SSRF攻击 | 羊知道|YangKnow.com

    • Bogdan Calin

      yes, 3.5 is vulnerable.

      February 21, 2013 at 8:13 am Reply
  35. Pingback: Protection for WordPress Pingback Vulnerability | Start a Web Design Company

  36. Schnäppchen

    Great! Thank you a lot :P

    March 11, 2013 at 3:17 pm Reply
  37. Is this Vulnerability fixed in 3.5.1 version of WordPress?

    March 11, 2013 at 5:02 pm Reply
    • Bogdan Calin

      Yes, it’s fixed in 3.5.1

      March 11, 2013 at 8:22 pm Reply
      • Morten

        I have a WP 3.5.1 site that still gets pingbacks with chinese characters…have disabled pingbacks, but it does not help. So is this really fixed or do I have some other issues?

        /Morten

        April 15, 2013 at 7:51 am Reply
  38. Dennar

    hey, what’s the tool name you used to do the HTTP post ?
    and thanks.

    April 19, 2013 at 11:21 pm Reply
    • Bogdan Calin

      I’m using Acunetix’s HTTP Editor tool.

      April 22, 2013 at 7:40 am Reply
  39. Pingback: WordPress Default Leaves Millions of Sites Vulnerable to DDoS Attacks – HackRead – Latest Cyber Crime – Information Security – Hacking News

  40. Pingback: 保护WordPress的pingback的漏洞 | 李新的博客

    • Bogdan Calin

      It’s the Acunetix HTTP Editor.

      October 22, 2013 at 11:01 am Reply
  41. Pingback: Lebanon web design company

  42. Pingback: WordPress Pingback Vulnerability - Sysadmins of the North

  43. Pingback: WordPress Pingback功能可被用作DDoS攻击 | 鸟窝

  44. Pingback: WordPress Potential Attack Flows – How To Fix – MVC | NextDime Networks