Plugin to stop wp-trackback DOS attack

> Hi All,
> There have been several reports this morning of a DOS attack affecting
> the WordPress wp-trackback.php file.
>
>     * [original post] http://www.stevefortuna.com/new-0-day-wordpress-exploit/
>     * http://jarraltech.com/2009/10/new-0-day-wordpress-exploit/
>     * http://www.hashbangcode.com/blog/wordpress-dos-attack-script-solution-2135.html
>
> All the the solutions have been the same thus far and require editing
> your .htaccess file or the wp-trackback.php file.
>
> FullThrottle has composed this quick plugin that accomplishes the same
> thing as the edit to the wp-trackback.php file.
>
> We will update this post and our code if further insight into the
> attack deems it necessary.
> We'd greatly appreciate any feedback this list has as well.
>
> You can download the plugin to test here:
> http://fullthrottledevelopment.com/wordpress-plugin-to-stop-trackback-dos-attacks
>
> or place the following in your theme's functions.php file:
>
> function ft_stop_trackback_dos_attacks(){
> global $pagenow;
> if ( 'wp-trackback.php' == $pagenow ){
> // DoS attack fix.
> if ( isset($_POST['charset']) ){
> $charset = $_POST['charset'];
> if ( strlen($charset) > 50 ) {  die; }
> }
> }
> }
> add_action('init','ft_stop_trackback_dos_attacks');
>
> Thanks,
> Glenn Ansley
> http://fullthrottledevelopment.com
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>  

> Thanks for the quick work on this Glenn. Looks like we can be expecting
> a 2.8.5 soon.
>
> Chris Jean
> http://gaarai.com/
> @chrisjean
>
>
>
> Glenn Ansley wrote:
> > Hi All,
> > There have been several reports this morning of a DOS attack affecting
> > the WordPress wp-trackback.php file.
> >
> >     * [original post]
> http://www.stevefortuna.com/new-0-day-wordpress-exploit/
> >     * http://jarraltech.com/2009/10/new-0-day-wordpress-exploit/
> >     *
> http://www.hashbangcode.com/blog/wordpress-dos-attack-script-solution-2135.html
> >
> > All the the solutions have been the same thus far and require editing
> > your .htaccess file or the wp-trackback.php file.
> >
> > FullThrottle has composed this quick plugin that accomplishes the same
> > thing as the edit to the wp-trackback.php file.
> >
> > We will update this post and our code if further insight into the
> > attack deems it necessary.
> > We'd greatly appreciate any feedback this list has as well.
> >
> > You can download the plugin to test here:
> >
> http://fullthrottledevelopment.com/wordpress-plugin-to-stop-trackback-dos-attacks
> >
> > or place the following in your theme's functions.php file:
> >
> > function ft_stop_trackback_dos_attacks(){
> >       global $pagenow;
> >       if ( 'wp-trackback.php' == $pagenow ){
> >               // DoS attack fix.
> >               if ( isset($_POST['charset']) ){
> >                       $charset = $_POST['charset'];
> >                       if ( strlen($charset) > 50 ) {  die; }
> >               }
> >       }
> > }
> > add_action('init','ft_stop_trackback_dos_attacks');
> >
> > Thanks,
> > Glenn Ansley
> > http://fullthrottledevelopment.com
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers@...
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

>
>Glenn Ansley wrote:
>>  Hi All,
>>  There have been several reports this morning of a DOS attack affecting
>>  the WordPress wp-trackback.php file.
>>
>  >     * [original post]
>http://www.stevefortuna.com/new-0-day-wordpress-exploit/
>  >     *
>http://www.hashbangcode.com/blog/wordpress-dos-attack-script-solution-2135.html
>>
>>  All the the solutions have been the same thus far and require editing
>>  your .htaccess file or the wp-trackback.php file.
>>
>>  FullThrottle has composed this quick plugin that accomplishes the same
>>  thing as the edit to the wp-trackback.php file.
>>
>>  We will update this post and our code if further insight into the
>>  attack deems it necessary.
>>  We'd greatly appreciate any feedback this list has as well.
>>
>>  You can download the plugin to test here:
>>
>>http://fullthrottledevelopment.com/wordpress-plugin-to-stop-trackback-dos-attacks
>>
>>  or place the following in your theme's functions.php file:
>>
>>  function ft_stop_trackback_dos_attacks(){
>> global $pagenow;
>> if ( 'wp-trackback.php' == $pagenow ){
>> // DoS attack fix.
>> if ( isset($_POST['charset']) ){
>> $charset = $_POST['charset'];
>> if ( strlen($charset) > 50 ) {  die; }
>> }
>> }
>>  }
>>  add_action('init','ft_stop_trackback_dos_attacks');
>>
>>  Thanks,
>>  Glenn Ansley
>  > http://fullthrottledevelopment.com

> WordPress 2.8.5: Hardening Release http://j.mp/3gZDRS
>
> This should fix the new 0-day exploit.
>
> Lynne
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

> It fixes the exploit in particular, but not the underlying issue. A
> trivial change to the exploit can still trigger it. To fix the problem
> itself, there needs to be an additional change.
>
>
> Make this:
>
> if ($charset)
>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
> else
>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>
>
> into this:
>
> if ($charset && is_string($charset))
>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
> else
>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>
>
> That will correct another vector for the same attack.
>
> -Otto
>
>
>
> On Tue, Oct 20, 2009 at 6:59 PM, Lynne Pope <lynne.pope@...> wrote:
>> WordPress 2.8.5: Hardening Release http://j.mp/3gZDRS
>>
>> This should fix the new 0-day exploit.
>>
>> Lynne
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers@...
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

> Hi Otto,
>
> Thats the same i think after i see the patch by ryan...
> But after a more closer look i see that strtoupper() and trim()
> actually workaround/fix that issue when charset is and a array of
> charsets.
>
> A simple test script made to prove this point...
> $charset = array('UTF-8','UTF-8','UTF-8');
> $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
> var_dump($charset);
>
> And this script will just output the next text...
> string(5) "ARRAY"
>
> So as you can see, trim takes the array of charset (that in theory if
> happens to reach mb_convert_encoding as and array of charsets it will
> still be vulnerable to the dos attack) and work with it as and a
> string, in case that trim fails, strtoupper will also do the same and
> therefore it will convert the array() into a the string "array".
> More than be exploitable is just plain bug (with no exploitable issue)
> which as you say should be fixed with the proposed patch...
>
> Regards
>
> 2009/10/21 Otto <otto@...>:
>> It fixes the exploit in particular, but not the underlying issue. A
>> trivial change to the exploit can still trigger it. To fix the problem
>> itself, there needs to be an additional change.
>>
>>
>> Make this:
>>
>> if ($charset)
>>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>> else
>>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>>
>>
>> into this:
>>
>> if ($charset && is_string($charset))
>>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>> else
>>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>>
>>
>> That will correct another vector for the same attack.
>>
>> -Otto
>>
>>
>>
>> On Tue, Oct 20, 2009 at 6:59 PM, Lynne Pope <lynne.pope@...> wrote:
>>> WordPress 2.8.5: Hardening Release http://j.mp/3gZDRS
>>>
>>> This should fix the new 0-day exploit.
>>>
>>> Lynne
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers@...
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers@...
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
>
>
> --
> /**
> CONFIDENTIALITY NOTICE: This message is intended to be viewed only by
> the listed recipient(s).
> It may contain information that is privileged, confidential and/or
> exempt from disclosure under applicable law.
> Any dissemination, distribution or copying of this message is strictly
> prohibited without our prior written permission.
> If you are not an intended recipient, or if you have received this
> communication in error, please notify us immediately by return e-mail
> and permanently remove the original message and any copies from your
> computer and all back-up systems.
> */
> _________________________
>             g30rg3_x
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

> Hmm... While the trim does eliminate the issue, it seems to be
> dependent upon which version of PHP you're using. When I tried it with
> 5.3, I get a null back instead of "array". It is conceivable (though
> it would take a lot of testing) that some particular version of PHP,
> or combination of extensions, could make a site vulnerable.
>
> Essentially, it depends the behavior of trim. I has assumed that
> passing trim an array would cause a warning (it does), and then
> continue at the next code segment. In your case, it converts to the
> string "array". In mine, I get a null value from it. However in both
> cases, the $charset does get overwritten with that value.
>
> Still, I don't think it's a great idea to rely on undocumented
> behavior to prevent the issue here, but I do agree that it is not a
> pressing problem.
>
> -Otto
>
>
>
> On Wed, Oct 21, 2009 at 10:26 AM, g30rg3_x <g30rg3x@...> wrote:
>> Hi Otto,
>>
>> Thats the same i think after i see the patch by ryan...
>> But after a more closer look i see that strtoupper() and trim()
>> actually workaround/fix that issue when charset is and a array of
>> charsets.
>>
>> A simple test script made to prove this point...
>> $charset = array('UTF-8','UTF-8','UTF-8');
>> $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>> var_dump($charset);
>>
>> And this script will just output the next text...
>> string(5) "ARRAY"
>>
>> So as you can see, trim takes the array of charset (that in theory if
>> happens to reach mb_convert_encoding as and array of charsets it will
>> still be vulnerable to the dos attack) and work with it as and a
>> string, in case that trim fails, strtoupper will also do the same and
>> therefore it will convert the array() into a the string "array".
>> More than be exploitable is just plain bug (with no exploitable issue)
>> which as you say should be fixed with the proposed patch...
>>
>> Regards
>>
>> 2009/10/21 Otto <otto@...>:
>>> It fixes the exploit in particular, but not the underlying issue. A
>>> trivial change to the exploit can still trigger it. To fix the problem
>>> itself, there needs to be an additional change.
>>>
>>>
>>> Make this:
>>>
>>> if ($charset)
>>>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>>> else
>>>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>>>
>>>
>>> into this:
>>>
>>> if ($charset && is_string($charset))
>>>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>>> else
>>>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>>>
>>>
>>> That will correct another vector for the same attack.
>>>
>>> -Otto
>>>
>>>
>>>
>>> On Tue, Oct 20, 2009 at 6:59 PM, Lynne Pope <lynne.pope@...> wrote:
>>>> WordPress 2.8.5: Hardening Release http://j.mp/3gZDRS
>>>>
>>>> This should fix the new 0-day exploit.
>>>>
>>>> Lynne
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers@...
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers@...
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>
>>
>>
>> --
>> /**
>> CONFIDENTIALITY NOTICE: This message is intended to be viewed only by
>> the listed recipient(s).
>> It may contain information that is privileged, confidential and/or
>> exempt from disclosure under applicable law.
>> Any dissemination, distribution or copying of this message is strictly
>> prohibited without our prior written permission.
>> If you are not an intended recipient, or if you have received this
>> communication in error, please notify us immediately by return e-mail
>> and permanently remove the original message and any copies from your
>> computer and all back-up systems.
>> */
>> _________________________
>>             g30rg3_x
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers@...
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>