WordPress Vulnerability: DoS flaw could bring down your site

easyhostmedia

easyhostmedia

Well-known member
WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

see more at

https://goo.gl/kfcALs
 
easyhostmedia said:
WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

see more at

https://goo.gl/kfcALs
Click to expand...

So in short Wordpress don't care about security and therefore there is nothing anyone can do about it?
 
Harv45 said:
So in short Wordpress don't care about security and therefore there is nothing anyone can do about it?
Click to expand...

Nothing has changed their, they have never cared about security in the past, but this time they have openly stated they wont patch this
 
Yea, unfortunately, that's the truth. :/

While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL
 
24x7server said:
Yea, unfortunately, that's the truth. :/

While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL
Click to expand...

Yikes indeed! :uhh:
 
Look at e107 several years ago they have a vulnerability that could not only hack into installations, but allowed hackers into the full server the installs were on which they knew about and refused to patch for it. It took many of the sites using e107 to get hacked and taken down before they patched it, but like me many hosts still wont allow e107 installations on their servers
 
The sad reality of the WordPress! :( Though there are number of security plugins, there are no new patch available which causes the very serious security issues.

That is why WordPress sites become the victim of hackers. :/
 
webconfigure said:
The sad reality of the WordPress! :( Though there are number of security plugins, there are no new patch available which causes the very serious security issues.

That is why WordPress sites become the victim of hackers. :/
Click to expand...

it is a constant battle to get clients to upgrade to latest versions of any script (not just WP) as they dont understand the security implications.
 
easyhostmedia said:
it is a constant battle to get clients to upgrade to latest versions of any script (not just WP) as they dont understand the security implications.
Click to expand...

That is why auto installers tend to have an auto update setting option on the admin as well as the client side.

That way that clients who just press install and think that it "all set" will actually get this. If you set it to auto update by default.

Other than that those who will "uncheck" it will likely know "hey updates are my problem now". Otherwise I would politely advise them to keep their installs up to date.

Now of course plugins/themes are still a "problem" but generally that is under the "okay if I install this then I need to keep this updated".
 
Harv45 said:
That is why auto installers tend to have an auto update setting option on the admin as well as the client side.

That way that clients who just press install and think that it "all set" will actually get this. If you set it to auto update by default.

Other than that those who will "uncheck" it will likely know "hey updates are my problem now". Otherwise I would politely advise them to keep their installs up to date.

Now of course plugins/themes are still a "problem" but generally that is under the "okay if I install this then I need to keep this updated".
Click to expand...

sometimes the autoupdate does not work, i normally issue a mass emails of outdated scripts to inform members to update and if they dont after 7 days i will update all these scripts
 
easyhostmedia said:
sometimes the autoupdate does not work, i normally issue a mass emails of outdated scripts to inform members to update and if they dont after 7 days i will update all these scripts
Click to expand...

I absolutely agrees that automated is and never will be "prefect". That is why no provider should just "set it and forget it". :)
 
Thanks for the heads up. I guess I need to read up some more as I think I just read this morning that the percentage was 59% and not 29%. Not sure where I saw that.
 
Its a dark truth of WordPress. It is less secure then others. We should be careful if website is on WordPress. They have some plugins for security purpose but they are also not enough.
 
As I see that's a truth we have to bare. That's why many people will like to develop their website from scratch. Because if there is a bug in a CMS, you will have to wait until they decide to correct that bug.
 
ronnel said:
As I see that's a truth we have to bare. That's why many people will like to develop their website from scratch. Because if there is a bug in a CMS, you will have to wait until they decide to correct that bug.
Click to expand...

But not everyone can develop their own websites from scratch, even main stream site designers use CMS as frameworks while designing websites. But is not just a case of developers issuing bugs, it is also down to website owners as i used to always have to push my clients to upgrade their scripts, so even if bug fixes are issued it is upto the website owners upgrade their installations to versions that include the bug fixes.
 
24x7server said:
Yea, unfortunately, that's the truth. :/

While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL
Click to expand...

This is a indirect result of Gutenberg IMO. Theme developers and plugin developers who helped make this platform what it is are stopping looking for alternatives as gutenberg is set to replace alot of what can be done via outside resources. Some are fighting it and some are trying to integrate with it.

Also as you have mentioned people install plugins for almost every reason because most people on WordPress dont even know how to optimise a image without a plugin let alone any other programming or website building functions.

Ofcourse as we know php is a patchy language that is constantly getting checked and updated for issues. If you arent updating you will have vulnerabilities. Its not wordpress, its not php, ive seen very secure wordpress sites and very secure payment gateways written in php...

Its the people who use the plugins and dont know what theire really doing that is the real problem. With gutenberg, it will only get worse.
 
It is hard to say that Wordpress is less secure than others. This argument is equivalent to saying that Windows is less secure than Linux. But the truth is that Windows is more popular than Linux, and hence targeted more for monetary benefits. Technically both are equally exploitable.

Same way, Wordpress is the most popular CMS, used in the internet, and hence more effort to hack.

I had written a wordpress plugin for BountySite, few months back, and they had a decent coding standard, which has been built over years of experience. Despite all the process in place, security vulnerabilities do happen. It does look scary when there is an exploit open with no patch available.

I had a look at the patch, it is pretty simple. Wonder why they did not go for the fix immediately!
 
You must log in or register to reply here.

Supporters

Back
Top