Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

Hosting Discussion > Web Hosting Forums > Website Development & Design > WordPress Vulnerability: DoS flaw could bring down your site
forgot password?



Reply


Old
  Post #1 (permalink)   02-05-2018, 02:12 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,426
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

see more at

https://goo.gl/kfcALs
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 


Old
  Post #2 (permalink)   02-05-2018, 02:19 PM
HD Master
 
Join Date: Apr 2015
Posts: 301

Status: Harv45 is offline
Quote:
Originally Posted by easyhostmedia View Post
WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

see more at

https://goo.gl/kfcALs
So in short Wordpress don't care about security and therefore there is nothing anyone can do about it?
 
 
 


Old
  Post #3 (permalink)   02-05-2018, 02:28 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,426
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by Harv45 View Post
So in short Wordpress don't care about security and therefore there is nothing anyone can do about it?
Nothing has changed their, they have never cared about security in the past, but this time they have openly stated they wont patch this
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 
The Following User Says Thank You to easyhostmedia For This Useful Post:
Harv45 (02-05-2018)


Old
  Post #4 (permalink)   02-05-2018, 02:54 PM
HD Master
 
Join Date: Apr 2015
Posts: 301

Status: Harv45 is offline
Quote:
Originally Posted by easyhostmedia View Post
Nothing has changed their, they have never cared about security in the past, but this time they have openly stated they wont patch this
Wow that's careless on whole another level for a software vendor do do just that.
 
 
 


Old
  Post #5 (permalink)   02-06-2018, 09:47 AM
HD Master
 
Join Date: Sep 2014
Location: India
Posts: 372
Send a message via Skype™ to 24x7server

Status: 24x7server is offline
Yea, unfortunately, that's the truth. :/

While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL
__________________
www.24x7servermanagement.com
Server Management, Server Security, Server Monitoring.
Network Monitoring Team !! Skype: techs24x7
 
 
 
The Following User Says Thank You to 24x7server For This Useful Post:
Harv45 (02-06-2018)


Old
  Post #6 (permalink)   02-06-2018, 09:54 AM
HD Master
 
Join Date: Apr 2015
Posts: 301

Status: Harv45 is offline
Quote:
Originally Posted by 24x7server View Post
Yea, unfortunately, that's the truth. :/

While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL
Yikes indeed!
 
 
 
The Following User Says Thank You to Harv45 For This Useful Post:
24x7server (02-07-2018)


Old
  Post #7 (permalink)   02-06-2018, 10:41 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,426
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Look at e107 several years ago they have a vulnerability that could not only hack into installations, but allowed hackers into the full server the installs were on which they knew about and refused to patch for it. It took many of the sites using e107 to get hacked and taken down before they patched it, but like me many hosts still wont allow e107 installations on their servers
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #8 (permalink)   02-06-2018, 12:09 PM
HD Amateur
 
Join Date: Jan 2018
Location: India
Posts: 96
Send a message via Skype™ to webconfigure

Status: webconfigure is offline
The sad reality of the WordPress! Though there are number of security plugins, there are no new patch available which causes the very serious security issues.

That is why WordPress sites become the victim of hackers. :/
 
 
 


Old
  Post #9 (permalink)   02-06-2018, 03:14 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,426
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by webconfigure View Post
The sad reality of the WordPress! Though there are number of security plugins, there are no new patch available which causes the very serious security issues.

That is why WordPress sites become the victim of hackers. :/
it is a constant battle to get clients to upgrade to latest versions of any script (not just WP) as they dont understand the security implications.
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #10 (permalink)   02-06-2018, 03:27 PM
HD Master
 
Join Date: Apr 2015
Posts: 301

Status: Harv45 is offline
Quote:
Originally Posted by easyhostmedia View Post
it is a constant battle to get clients to upgrade to latest versions of any script (not just WP) as they dont understand the security implications.
That is why auto installers tend to have an auto update setting option on the admin as well as the client side.

That way that clients who just press install and think that it "all set" will actually get this. If you set it to auto update by default.

Other than that those who will "uncheck" it will likely know "hey updates are my problem now". Otherwise I would politely advise them to keep their installs up to date.

Now of course plugins/themes are still a "problem" but generally that is under the "okay if I install this then I need to keep this updated".
 
 
 


Old
  Post #11 (permalink)   02-06-2018, 04:52 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,426
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by Harv45 View Post
That is why auto installers tend to have an auto update setting option on the admin as well as the client side.

That way that clients who just press install and think that it "all set" will actually get this. If you set it to auto update by default.

Other than that those who will "uncheck" it will likely know "hey updates are my problem now". Otherwise I would politely advise them to keep their installs up to date.

Now of course plugins/themes are still a "problem" but generally that is under the "okay if I install this then I need to keep this updated".
sometimes the autoupdate does not work, i normally issue a mass emails of outdated scripts to inform members to update and if they dont after 7 days i will update all these scripts
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 
The Following User Says Thank You to easyhostmedia For This Useful Post:
Harv45 (02-06-2018)


Old
  Post #12 (permalink)   02-06-2018, 04:56 PM
HD Master
 
Join Date: Apr 2015
Posts: 301

Status: Harv45 is offline
Quote:
Originally Posted by easyhostmedia View Post
sometimes the autoupdate does not work, i normally issue a mass emails of outdated scripts to inform members to update and if they dont after 7 days i will update all these scripts
I absolutely agrees that automated is and never will be "prefect". That is why no provider should just "set it and forget it".
 
 
 


Old
  Post #13 (permalink)   02-12-2018, 11:38 AM
HD Community Advisor
 
SenseiSteve's Avatar
 
Join Date: Mar 2009
Location: Saint Louis
Posts: 5,125

Status: SenseiSteve is offline
Thanks for the heads up. I guess I need to read up some more as I think I just read this morning that the percentage was 59% and not 29%. Not sure where I saw that.
__________________
Hostirian - Saint Louis Data Center and Dedicated Servers Provider - (800) 615-9349
Colocation, Cloud Servers & Managed WordPress Solutions
Nearly 20 years of IT experience | SSAE-18 Certified, HIPAA Compliant
Insanely Fast PCIe NVMe Servers
 
 
 


Old
  Post #14 (permalink)   02-12-2018, 12:31 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,426
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by SenseiSteve View Post
Thanks for the heads up. I guess I need to read up some more as I think I just read this morning that the percentage was 59% and not 29%. Not sure where I saw that.
https://w3techs.com/technologies/det...dpress/all/all

states

Quote:
WordPress is used by 60.1% of all the websites whose content management system we know. This is 29.6% of all websites.
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 
Reply

Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: