WordPress site administrators have had a tough week. On Monday, February 5, 2018, the developers published a new version of the CMS (WordPress 4.9.3), which was supposed to eliminate a number of minor problems, but in the end accidentally messed up the automatic updates mechanism, which allows the CMS to update itself without user intervention.
Although the error was quickly noticed, and the very next day WordPress 4.9.4 was released that restores the normal operation of the automatic updates system, there was an obvious problem. The fact is that users whose update system is already broken did not receive an automatic fix in the form of WordPress 4.9.4, they may not even know about its existence. To install version 4.9.4, affected users need to initiate the update manually from the control panel.
Another bad news is the fact that both versions (4.9.3 and 4.9.4) still lack a patch for the CVE-2018-6389 vulnerability, which previously reported by independent Israeli information security specialist Barak Tawily.
Tawaily discovered that an attacker could force load-scripts.php to load all available JavaScript files at all by simply listing them in the URL. Because of this, the attacked site can start to work much slower, absorbing more and more server power. Of course, with a single such request, an attacker will not be able to provoke a denial of service, but the researcher created a proof-of-concept exploit: a simple doser.py script written in Python. The script sends many similar requests to the target URL. After about 500 requests, the average site running on a VPS server stops responding at all, “giving” only errors 502, 503 and 504.
The specialist warned that it is unlikely that it will be possible to “put” a WordPress site running on a powerful, separate server from one computer, however, if the attacker has a wide channel at his disposal or several bots, the attack will work against such a resource, and it will be less expensive for an attacker than a regular DDoS.
Although Tawaili notified the CMS developers about the problem, they did not consider the discovered vulnerability serious enough and said that such problems should be solved at the server or network level, but not at the application level. Judging by the absence of patches in versions 4.9.3 and 4.9.4, the decision of the developers has not changed yet.
At the same time, journalists from Bleeping Computer warn that proof-of-concept exploit for CVE-2018-6389 is freely available online (1, 2). Moreover, Imperva specialists prepared their own report, in which they fully agreed with the conclusions of Barak Tawaili and reported that WordPress sites are already under attack that exploit this bug.
Let me remind you that Tawaili published his own fork of WordPress on GitHub , in which the vulnerability is fixed. Also, the researcher posted in open access bash-script, which allows you to fix the problem in existing WordPress installations. Now there is another possible way around the problem: you can protect yourself from the vulnerability using ModSecurity.
Source: xaker.ru
