WordPress.org

Ideas

A better way to prevent XMLRPC Ping Back

  1. Kalpin Erlangga Silaen
    Member

    12345

    As we know, in March 2014, there are huge number (around 160.000, from sucuri blog) wordpress hosted site involved or used by attacker to attack other sites. Attacker success to exploit vulnerability of XMLRPC in WordPress. From there, I can see how WordPress Team release a new version. Sadly, the new release version only add 5 lines from old version in wp-includes/class-wp-xmlrpc-server.php (I compare between 3.8.1 and 3.8.2, after that I did not any change in same file from your Security Release announcement). Those line has purpose to display IP of who request the XMLRPC pingback, not to prevent it.

    Also, I can see there are many plugins, tutorial, how to disable XMLRPC pingback even some suggest to prevent XMLRPC itself. But I think we do not let some features loss because this kind issue. Of course we need to mitigate or prevent any security issue immediately, but in my opinion if we can fix security issue without losing some feature, then that is the best way to handle it. So here is my idea:

    - create new table (called url_whitelist in wordpress with default empty. There is only 2 field which are id and url. This table will contain URL whitelist to where wordpress site can be allow to send pingback
    - insert a line into wp-includes/class-wp-xmlrpc-server.php which query to table whitelist above compare to $pagelinkedfrom. If the URL is exist in table whitelist, then pingback may (depends of next check/control) allow to send, if not (remember its empty as default) then wordpress will not send pingback to any url (so we just prevent pingback from abuser or scanner tool but still allow wordpress send pingback to whitelisted URL)
    - an interface in dashboard which allow admin to add whitelist url into table whitelist.

    That is my idea. I am sorry for my english.

    Thank you

    Kalpin

    Posted: 1 year ago #
  2. Kalpin Erlangga Silaen
    Member

    12345

    Is there any issue to implement this idea?

    ps. there is a typo in my initial word above. It should be:
    "(I compare between 3.8.1 and 3.8.2, after that I did not see any change..."

    Posted: 1 year ago #
  3. Ipstenu (Mika Epstein)
    Lead Plugin Wrangler

    A lot of issues.

    It's a great idea, but it's impractical when you consider the people who use WP and their levels of technical ability.

    Whitelists put a surprisingly enormous burden on the runner of a website to know what is and is not okay.

    Instead, we'll most likely change over to using something like the JSON api which can be used more safely and securely.

    Posted: 1 year ago #
  4. Kalpin Erlangga Silaen
    Member

    12345

    Dear Ipstenu,

    In fact, my idea is to help people does not need to know about technical. Many user does not know how to use all features in WordPress including XMLRPC Ping Back. Therefore, as my idea, WordPress will come with empty in whitelist table as default (because not all user know about XMLRPC Ping Back), so we protect their WordPress from employing by attacker for XMLRPC Ping Back attack. If people want to cooperate or communicate with other wordpress website, then they can add the URL into whitelist table.

    Basicly we limit an "unknown" feature from user who does not know or need it but let other people to use it if they want it.

    Posted: 1 year ago #
  5. Kalpin Erlangga Silaen
    Member

    12345

    By the way, I am master's student at Swiss German University, BSD, Indonesia. Currently I am working for my thesis with topic DDoS in Application Layer. One of my focus as an example attack is WordPress XMLRPC Pingback Attack, which allow people to use XMLRPC Pingback to attack another site. I am still working for my thesis, but I think it is better if I can share my idea as solution to prevent XMLRPC Pingback Attack.

    Is it safe to put them into my thesis with a PoC ? I also propose my countermeasure in my thesis (patching wordpress). I tested my countermeasure from major version 3.5.2 to 4.3.1 and all of them works, there is not traffic from all wordpress by sending XMLRPC Ping Back.

    Posted: 1 year ago #
  6. Ipstenu (Mika Epstein)
    Lead Plugin Wrangler

    Define 'safe' ?

    The 'WordPress XMLRPC Pingback Attack' is really just a case of "Yeah, if someone hammers the heck out of your site via pingbacks, it can act as a ddos" which ... well we know. But the same can be said of anything.

    https://www.trustwave.com/Resources/SpiderLabs-Blog/WordPress-XML-RPC-PingBack-Vulnerability-Analysis/

    It's a known thing.

    If you think it's too sentitive or something new, I would suggest posting it here - https://hackerone.com/automattic

    Otherwise, if you can submit a patch for all this, go for it. I would recommend a proof of concept as a plugin first, if possible, since that's a great way to let people test without patching core.

    Posted: 1 year ago #
  7. Kalpin Erlangga Silaen
    Member

    12345

    Dear Ipstenu,

    "safe" means that I put a PoC in my thesis for:

    1. How to automatic launch ddos attack using XMLRPC pingback
    2. Explain where is the vulnerability.

    I understood, that this vulnerability already well known but I am talking about "ethics". That's why I am asking if it is "allowed" by WordPress as vendor.

    I can submit patch, where I can send it ?

    Thank you

    Kalpin

    Posted: 1 year ago #
  8. Ipstenu (Mika Epstein)
    Lead Plugin Wrangler

    Please read https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/

    Again, I don't know exactly what vulnerability you're talking about. If it's exactly like the one I linked to, then I personally would consider it safe.

    HOWEVER. If you want to be the most ethical, responsible, practical, person, you would send an email with the details to security [at] wordpress.org. Include as much detail as you can.

    Posted: 1 year ago #
  9. Kalpin Erlangga Silaen
    Member

    12345

    Hello Ipstenu,

    thank you for suggestion. I have send an email to security [at] wordpress.org with my patch as my propose solution to prevent it.

    Thank you

    Kalpin

    Posted: 1 year ago #

RSS feed for this topic

Reply

You must log in to post.

  • Rating

    12345
    2 Votes
  • Status

    Sorry, not right now