DoS attack WordPress – CVE-2018-6389

  • WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once., file loadscripts.php will load jquery-UI-core and editor files automatically and return the contents of the file. The load-scripts.php file which is a feature of WordPress does not require any authentication, which allows malicious intent users to ask for all JS files present in a WordPress installation. This creates a huge file that will cause some load on your server, and if requested often enough, will block your server from doing anything else.
    The load-scripts.php file works by selectively calling essential JavaScript files by passing their names into the “load” parameter. When the website is loading, this script attempts to find all JavaScript file names given in the URL, append content into a single file and then send back it to the user’s browser.

    So what makes it vulnerable? Basically, force load-scripts.php can call all possible JavaScript files at once by adding these file names to a URL. The consequence is website slowdowns due to excessive processor cycles and server memory consumption.

    It is explained very good here: https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html

    What I wonder, is this a good fix (not causing any other problems):

    1) add this to wp-config:
    define( ‘CONCATENATE_SCRIPTS’, false );

    2) add this to .htaccess

    <FilesMatch "load-scripts\.php|load-styles\.php">
      Order allow,deny
      Deny from all
    </FilesMatch>

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)

  • Without appropriate rate limiting at the server (or better yet external WAF), what’s to stop an attacker from hitting ANY legitimate URL a million times… which has exactly the same effect as this “vulnerability”?

    Thread Starter kcaluwae

    (@kcaluwae)

    @gappiah Good point.

    Still, I thought there was a difference since here you can ask the server to process large heavy files, which makes it even easier and faster to overload the server than by just loading a certain page.

    And is there any benefit of leaving this load_scripts.php open to the public? If not, it’s better to close it.

    Miguel

    (@miguelgilmartinez)

    This looks like a security regression (CVE-2018-6389), I mean, a closed vulnerability reopened in the future. It is a serious issue, and should be patched as soon as possible. Adding define( ‘CONCATENATE_SCRIPTS’, false ); did not work to me.

    I think the WP Core Team should patch it as they did in the past.
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘DoS attack WordPress – CVE-2018-6389’ is closed to new replies.