
A simple solution to WordPress DoS Vulnerability (CVE-2018-6389)
Today I came across an article written by Mohit Kumar (TheHackerNews.com) regarding Vulnerability (CVE-2018-6389) for WordPress.
You can read the article at the link above, but for brevity, I’ll give a short explanation of the vulnerability below.
WordPress has a file called “load-scripts.php” which accepts a “load” parameter. You can pass a whole bunch of names to this parameter and the file will concatenate those JavaScript files and return a single result. This helps to improve performance on WordPress sites, especially in the CMS when you are logged in.
To enable the “load-scripts.php” file to work on the login page (before you are logged in), the developers did not add any authentication or other means of protection to the “load-scripts.php” file.
As a result, you can easily send a whole bunch of requests to that file and break a website.
Solutions
There are a couple of solutions one could apply, but the best solutions are ones that don’t require you to edit any of the core WordPress files as those changes will be lost upon update.
Konrad Fedorczyk also wrote about the vulnerability and his solution.
RewriteCond %{QUERY_STRING} ^.{1000,}$
RewriteRule ^wp-admin/load-scripts\.php$ – [F]
What he does above is to limit the length of the query string that may be passed to the “load-scripts.php” file. This should work for most use cases, but I was not entirely satisfied with this approach because if I wanted to concatenate more scripts than is allowed by the rewrite condition, I would not be able to. The other issue is that this does not really prevent a malicious use of the file. It simply limits the number of scripts that can be appended.
I opted to not limit the request length, but rather to limit the request source.
RewriteCond %{HTTP_REFERER} !yourdomain\.co\.za [NC]
RewriteCond %{THE_REQUEST} \.php[\ /?].*HTTP/ [NC]
RewriteRule ^wp-admin/load-scripts\.php$ – [R=403,L]
The above rewrite rule will return a 403 “Unforbidden” error if the URL is not accessed by your domain. This way you are not limited to how many scripts you may concatenate and you can also rest assured that no unintended behaviour will occur because of a limited request length.