Security Experts:

Pingback Function in WordPress Vulnerable To Malicious Use, Serves As Attack Tool

A vulnerability (or unintended function) in WordPress that was dismissed six years ago as a something not worth bothering with, has been given a second glance now that the issue has been exposed to a wider audience. The problem revolves around the pingback function being used as a means to map remote hosts, which can have problematic results for organizations using blogging platform.

Pingbacks are a way for a blog owner to see who is linking to their stories. Six years ago, it was discovered that the issue could be used to scan remote hosts (internal networks and those that are forward facing) by altering the pingback link.

This distributed scanning function, something that clearly wasn’t intended when pingbacks were implemented for the XMLRPC API, could lead to DDoS conditions in addition to information exposure.

The problem is that when the issue was first brought to WordPress’ attention, it was dismissed. “There are so many ways to orchestrate a DDOS, I don't know if this is worth bothering with,” commented WordPress developer Ryan Boren at the time. 

Now, a new tool has been released that automates the pingback vulnerability.

“WordPress exposes a so called Pingback API to link to other blog posts. Using this feature you can scan other hosts on the intra- or internet via this server. You can also use this feature for some kind of distributed port scanning: You can scan a single host using multiple WordPress Blogs exposing this API,” the tool’s instructions explain.

While organizations that host their own WordPress installations are at risk, the countless servers that are owned by hosting providers are also at risk, which can be elevated given that WordPress is often featured as a one-click install for many hosting account promotions, and millions of installations have been left abandoned.

“From the tests I've carried out, I've seen that WordPress is also supporting URLs with credentials,” explains Acunetix’s Bogdan Calin.

According to his notes, an attacker could use a URL like the one below to reconfigure the internal router.

http://admin:[email protected]/changeDNS.asp?newDNS=aaaa

“This can also be used for distributed DOS (Denial of Service) attacks. An attacker can contact a large number of blogs and ask them to pingback a target URL. All of these blogs will attack the target URL,” he adds.

Moreover, the pingback can be abused by attackers in order to guess hosts inside the internal network, i.e. URLs like http://subversion/; http://bugzilla /; or http://dev/ can be leveraged to see if these hosts exist in the internally.

Unfortunately, only a patch will resolve this issue as disabling the pingback function doesn’t work.

"These are known weaknesses with the pingback system and there are core WordPress.org developers working on counter-measures to harden against this type of abuse for future versions of WordPress," a spokesperson from WordPress (Automattic) told SecurityWeek via email.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.