Hosting Discussion

Hosting Discussion (https://www.hostingdiscussion.com/)
-   Website Development & Design (https://www.hostingdiscussion.com/website-development-design/)
-   -   WordPress Vulnerability: DoS flaw could bring down your site (https://www.hostingdiscussion.com/website-development-design/66318-wordpress-vulnerability-dos-flaw-could-bring-down-your-site.html)


easyhostmedia 02-05-2018 02:12 PM

WordPress Vulnerability: DoS flaw could bring down your site
 
WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

see more at

https://goo.gl/kfcALs

Harv45 02-05-2018 02:19 PM

Quote:

Originally Posted by easyhostmedia (Post 227706)
WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

see more at

https://goo.gl/kfcALs

So in short Wordpress don't care about security and therefore there is nothing anyone can do about it?

easyhostmedia 02-05-2018 02:28 PM

Quote:

Originally Posted by Harv45 (Post 227707)
So in short Wordpress don't care about security and therefore there is nothing anyone can do about it?

Nothing has changed their, they have never cared about security in the past, but this time they have openly stated they wont patch this

Harv45 02-05-2018 02:54 PM

Quote:

Originally Posted by easyhostmedia (Post 227708)
Nothing has changed their, they have never cared about security in the past, but this time they have openly stated they wont patch this

Wow that's careless on whole another level for a software vendor do do just that. :uhh:

24x7server 02-06-2018 09:47 AM

Yea, unfortunately, that's the truth. :/

While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL

Harv45 02-06-2018 09:54 AM

Quote:

Originally Posted by 24x7server (Post 227725)
Yea, unfortunately, that's the truth. :/

While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL

Yikes indeed! :uhh:

easyhostmedia 02-06-2018 10:41 AM

Look at e107 several years ago they have a vulnerability that could not only hack into installations, but allowed hackers into the full server the installs were on which they knew about and refused to patch for it. It took many of the sites using e107 to get hacked and taken down before they patched it, but like me many hosts still wont allow e107 installations on their servers

webconfigure 02-06-2018 12:09 PM

The sad reality of the WordPress! :( Though there are number of security plugins, there are no new patch available which causes the very serious security issues.

That is why WordPress sites become the victim of hackers. :/

easyhostmedia 02-06-2018 03:14 PM

Quote:

Originally Posted by webconfigure (Post 227728)
The sad reality of the WordPress! :( Though there are number of security plugins, there are no new patch available which causes the very serious security issues.

That is why WordPress sites become the victim of hackers. :/

it is a constant battle to get clients to upgrade to latest versions of any script (not just WP) as they dont understand the security implications.

Harv45 02-06-2018 03:27 PM

Quote:

Originally Posted by easyhostmedia (Post 227730)
it is a constant battle to get clients to upgrade to latest versions of any script (not just WP) as they dont understand the security implications.

That is why auto installers tend to have an auto update setting option on the admin as well as the client side.

That way that clients who just press install and think that it "all set" will actually get this. If you set it to auto update by default.

Other than that those who will "uncheck" it will likely know "hey updates are my problem now". Otherwise I would politely advise them to keep their installs up to date.

Now of course plugins/themes are still a "problem" but generally that is under the "okay if I install this then I need to keep this updated".

easyhostmedia 02-06-2018 04:52 PM

Quote:

Originally Posted by Harv45 (Post 227731)
That is why auto installers tend to have an auto update setting option on the admin as well as the client side.

That way that clients who just press install and think that it "all set" will actually get this. If you set it to auto update by default.

Other than that those who will "uncheck" it will likely know "hey updates are my problem now". Otherwise I would politely advise them to keep their installs up to date.

Now of course plugins/themes are still a "problem" but generally that is under the "okay if I install this then I need to keep this updated".

sometimes the autoupdate does not work, i normally issue a mass emails of outdated scripts to inform members to update and if they dont after 7 days i will update all these scripts

Harv45 02-06-2018 04:56 PM

Quote:

Originally Posted by easyhostmedia (Post 227735)
sometimes the autoupdate does not work, i normally issue a mass emails of outdated scripts to inform members to update and if they dont after 7 days i will update all these scripts

I absolutely agrees that automated is and never will be "prefect". That is why no provider should just "set it and forget it". :)

SenseiSteve 02-12-2018 11:38 AM

Thanks for the heads up. I guess I need to read up some more as I think I just read this morning that the percentage was 59% and not 29%. Not sure where I saw that.

easyhostmedia 02-12-2018 12:31 PM

Quote:

Originally Posted by SenseiSteve (Post 227836)
Thanks for the heads up. I guess I need to read up some more as I think I just read this morning that the percentage was 59% and not 29%. Not sure where I saw that.

https://w3techs.com/technologies/det...dpress/all/all

states

Quote:

WordPress is used by 60.1% of all the websites whose content management system we know. This is 29.6% of all websites.


All times are GMT -6. The time now is 05:21 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.1.0