关联漏洞
标题:
WordPress 安全漏洞
(CVE-2018-6389)
描述:WordPress是WordPress软件基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 4.9.2及之前版本中存在安全漏洞。攻击者可通过使用较大的registered .js文件列表,创建请求来多次加载文件利用该漏洞造成拒绝服务(资源消耗)。
描述
Mitigate CVE-2018-6389 WordPress load-scripts / load-styles attacks
介绍
# trellis-cve-2018-6389
[](https://github.com/ItinerisLtd/trellis-cve-2018-6389/tags)
[](https://github.com/ItinerisLtd/trellis-cve-2018-6389/blob/master/LICENSE)
Mitigate [CVE-2018-6389](https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html) WordPress load-scripts / load-styles attacks.
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
- [Goal](#goal)
- [Why?](#why)
- [Mitigation](#mitigation)
- [Why Not?](#why-not)
- [Requirements](#requirements)
- [Installation](#installation)
- [Trellis](#trellis)
- [WordPress](#wordpress)
- [FAQs](#faqs)
- [Can I use this on managed hosting?](#can-i-use-this-on-managed-hosting)
- [It looks awesome. Where can I find some more goodies like this?](#it-looks-awesome-where-can-i-find-some-more-goodies-like-this)
- [This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?](#this-isnt-on-wporg-where-can-i-give-a-%EF%B8%8F%EF%B8%8F%EF%B8%8F%EF%B8%8F%EF%B8%8F-review)
- [Alternatives](#alternatives)
- [Testing](#testing)
- [Syntax Check](#syntax-check)
- [Author Information](#author-information)
- [Feedback](#feedback)
- [Change log](#change-log)
- [License](#license)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
## Goal
Deny all requests to `wp-admin/load-scripts.php` and `wp-admin/load-styles.php` by Nginx.
## Why?
- [How to DoS 29% of the World Wide Websites - CVE-2018-6389 ](https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html)
**TL;DR**
> it [WordPress] will use load-scripts.php (for JS) or load-styles.php (for CSS files) and the browser will get multiple JS/CSS files through a single request- so performance-wise it is better to do so and the page will load faster. This feature was designed only for the admin pages, but is also used on the wp-login.php page, so no authentication is enforced on these files.
>
> -- [How to DoS 29% of the World Wide Websites - CVE-2018-6389](https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html)
```
# for example
https://example.com/wp/wp-admin/load-scripts.php?c=1&load[]=jquery-ui-core,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check
# same goes to https://example.com/wp/wp-admin/load-styles.php
```
A single request (no authentication required) could cause the server to perform >180 IO reads and concatenate all the files into a >4MB response. For small servers without proper firewalls and rate-limiting, this is enough to perform DoS attacks.
## Mitigation
> 1. You should really use HTTPS. If you don’t, you shouldn’t have a web site in the first place.
> 2. When you use HTTPS, there’s no reason to not use HTTP/2.
> 3. With HTTP/2, there’s no need to concatenate your files. It is actually an anti-pattern.
>
> -- [How to mitigate CVE-2018-6389 – the load-scripts.php DoS "attack" in WordPress](https://bjornjohansen.no/load-scripts-php)
- Tell WordPress not to use concatenation of JS and CSS files
- Deny all requests to `load-scripts.php` and `load-styles.php`
## Why Not?
- [All the comments from otto4242 in this reddit thread](https://www.reddit.com/r/Wordpress/comments/7vedxb/cve20186389_dos_flaw_in_wordpress_sites/)
- [wfalaa's (Wordfence author) comments in this wp.org thread](https://wordpress.org/support/topic/does-wordfence-patch-dos-issue-cve-2018-6389-automatically/#post-9947825)
## Requirements
- Trellis [17c26fc](https://github.com/roots/trellis/commit/17c26fc9eb5fe0d427195124e8adc91a73380503) or later
- Ansible v2.6 or later
## Installation
### Trellis
Add this role to `requirements.yml`:
```yaml
# requirements.yml
- src: https://github.com/ItinerisLtd/trellis-cve-2018-6389
version: 0.1.0 # Check for latest version!
```
Run the command:
```bash
➜ ansible-galaxy install -r requirements.yml --force
```
Add the role into `dev.yml` and `server.yml`, immediately after `role: wordpress-setup`:
```yaml
roles:
# some other Trellis roles ...
- { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] }
- { role: trellis-cve-2018-6389, tags: [nginx, wordpress, wordpress-setup] }
# some other Trellis roles ...
```
Then, re-provision as usual:
```bash
# https://roots.io/trellis/docs/local-development-setup/
➜ vagrant reload --provision
# https://roots.io/trellis/docs/remote-server-setup/
➜ ansible-playbook server.yml -e env=<environment>
```
### WordPress
Disable concatenation:
```php
# config/application.php OR wp-config.php OR equivalent
# normal OR outdated Bedrock:
define('CONCATENATE_SCRIPTS', false);
# Bedrock with roots/wp-config:
Config::define('CONCATENATE_SCRIPTS', false);
```
Then, deploy as usual:
```bash
# https://roots.io/trellis/docs/deploys/
➜ ./bin/deploy.sh <environment> <domain>
# or alternatively
➜ ansible-playbook deploy.yml -e "site=<domain> env=<environment>"
```
## FAQs
### Can I use this on managed hosting?
No, you can't use this on managed hosting such as [Kinsta](http://bit.ly/kinsta-com) or [WP Engine](https://typist.tech/go/wp-engine).
It's the hosting company's job to mitigate this kind of attacks.
### It looks awesome. Where can I find some more goodies like this?
- Articles on [Itineris' blog](https://www.itineris.co.uk/blog/)
- More projects on [Itineris' GitHub profile](https://github.com/itinerisltd)
- Follow [@itineris_ltd](https://twitter.com/itineris_ltd) and [@TangRufus](https://twitter.com/tangrufus) on Twitter
- Hire [Itineris](https://www.itineris.co.uk/services/) to build your next awesome site
### This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?
Thanks! Glad you like it. It's important to make my boss know somebody is using this project. Instead of giving reviews on wp.org, consider:
- tweet something good with mentioning [@itineris_ltd](https://twitter.com/itineris_ltd)
- star this Github repo
- watch this Github repo
- write blog posts
- submit pull requests
- [hire Itineris](https://www.itineris.co.uk/services/)
## Alternatives
- [How to mitigate CVE-2018-6389 – the load-scripts.php DoS "attack" in WordPress](https://bjornjohansen.no/load-scripts-php)
## Testing
### Syntax Check
```bash
➜ ansible-playbook -i 'localhost,' --syntax-check tests/test.yml
```
## Author Information
[trellis-cve-2018-6389](https://github.com/ItinerisLtd/trellis-cve-2018-6389) is a [Itineris Limited](https://www.itineris.co.uk/) project created by [Tang Rufus](https://typist.tech).
Special thanks to [the Roots team](https://roots.io/about/) whose [Trellis](https://github.com/roots/trellis) make this project possible.
Full list of contributors can be found [here](https://github.com/ItinerisLtd/trellis-cve-2018-6389/graphs/contributors).
## Feedback
**Please provide feedback!** We want to make this library useful in as many projects as possible.
Please submit an [issue](https://github.com/ItinerisLtd/trellis-cve-2018-6389/issues/new) and point out what you do and don't like, or fork the project and make suggestions.
**No issue is too small.**
## Change log
Please see [CHANGELOG](./CHANGELOG.md) for more information on what has changed recently.
## License
[trellis-cve-2018-6389](https://github.com/ItinerisLtd/trellis-cve-2018-6389) is released under the [MIT License](https://opensource.org/licenses/MIT).
文件快照
[4.0K] /data/pocs/da6de74c46d73afc38c82196bf2584d16fe90081
├── [ 153] CHANGELOG.md
├── [4.0K] defaults
│ └── [ 65] main.yml
├── [1.0K] LICENSE
├── [4.0K] meta
│ └── [ 332] main.yml
├── [7.6K] README.md
├── [4.0K] tasks
│ └── [ 421] main.yml
├── [4.0K] templates
│ └── [ 172] cve-2018-6389.conf.j2
└── [4.0K] tests
└── [ 60] test.yml
5 directories, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。