Welcome to Centmin Mod Community
Register Now

Wordpress Wordpress DOS Attack Flaw Security CVE-2018-6389

Discussion in 'Blogs & CMS usage' started by eva2000, Feb 11, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    54,309
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:07 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Heads up a Wordpress DOS attack flaw was reported, CVE-2018-6389. Wordpress doesn't consider this a bug as they said the mitigation should be done at server level and not Wordpress application level. FYI, All Centmin Mod 123.09beta01 was updated ~20 minutes ago so that all auto installed wordpress instances via centmin.sh menu option 22 from now on also have the added Step 1 and Step 2 workarounds out of the box :)

    CVE-2018-6389 Details


    Workaround fixes for Wordpress CVE-2018-6389



    Some steps can be taken.

    Step 1. Disable Wordpress script concatenation of admin scripts by adding to wp-config.php

    Code (Text):
    define('CONCATENATE_SCRIPTS', false);
    


    Step 2. If you used centmin.sh menu option 22 to auto install wordpress, you would of already had additional security to rate limit at nginx level requests to wp-login.php and xmlrpc.php.


    Your nginx vhost config file at domain.com.conf and/or domain.com.ssl.conf would have lines line
    Code (Text):
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/$vhostname/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    

    You will add 2 more location contexts below existing ones to rate limit /wp-admin/load-scripts.php and /wp-admin/load-styles.php requests so will look something like
    Code (Text):
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/$vhostname/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    

    save and restart nginx server
    Code (Text):
    ngxrestart
    


    Example of rate limited requests to /wp-admin/load-styles.php using Siege benchmark tool. Using 30 concurrent users with 3 requests - see the 503 HTTP Status for service not available shows that rate limiting is working

    Code (Text):
    siege -b -c30 -r3 "http://domain.com/wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4"
    ** SIEGE 4.0.4
    ** Preparing 30 concurrent users for battle.
    The server is now under siege...
    HTTP/1.1 503     0.15 secs:     206 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    HTTP/1.1 503     0.15 secs:     206 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    HTTP/1.1 503     0.15 secs:     206 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    HTTP/1.1 200     0.22 secs:   36053 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    HTTP/1.1 503     0.14 secs:     206 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    HTTP/1.1 503     0.14 secs:     206 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    HTTP/1.1 200     0.23 secs:   36053 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    HTTP/1.1 503     0.14 secs:     206 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    HTTP/1.1 200     0.22 secs:   36053 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4
    
    Transactions:                     12 hits
    Availability:                  13.33 %
    Elapsed time:                   0.62 secs
    Data transferred:               0.43 MB
    Response time:                  1.21 secs
    Transaction rate:              19.35 trans/sec
    Throughput:                     0.69 MB/sec
    Concurrency:                   23.45
    Successful transactions:          12
    Failed transactions:              78
    Longest transaction:            0.25
    Shortest transaction:           0.14
    
     
  2. rdan

    rdan Well-Known Member

    5,444
    1,407
    113
    May 25, 2014
    Ratings:
    +2,200
    Local Time:
    12:07 AM
    Mainline
    10.2
    But this will be overwritten after WP Updates?
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,309
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:07 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    WP updates don't touch wp-config.php usually :)
     
  4. rdan

    rdan Well-Known Member

    5,444
    1,407
    113
    May 25, 2014
    Ratings:
    +2,200
    Local Time:
    12:07 AM
    Mainline
    10.2
    But on your post you said wp-login.php? :unsure:
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,309
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    2:07 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    whoops typo :p:oops::D