Closed
Bug 1375174
Opened 8 years ago
Closed 8 years ago
XMLRPC-Brute-Force vulnerability in blog.Mozilla.org
Categories
(Infrastructure & Operations :: Blogs, task)
Infrastructure & Operations
Blogs
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1050193
People
(Reporter: ashiksn369, Assigned: danielh, NeedInfo)
Details
Attachments
(1 file)
|
73.59 KB,
image/jpeg
|
Details |
Screenshot_2017-06-21-23-03-42.jpg
User Agent: Mozilla/5.0 (Linux; Android 5.0.2; ASUS_Z010D Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.132 Mobile Safari/537.36
Steps to reproduce:
I have found a critical XMLRPC Bruteforce vulnerability in blog.Mozilla.org.I have found that it is built in WordPress.Also it uses xmlrpc.With the help of a Python script,this vulnerability can be exploited and password can be easily bruteforced.The github repository link of the script is given below:https://github.com/1N3/Wordpress-XMLRPC-Brute-Force-Exploit
Usage:./wordpress-xmlrpc-brute.py http://blog.Mozilla.org/xmlrpc.php passwords.txt username
Actual results:
This is an exploit for Wordpress xmlrpc.php System Multicall function affecting the most current version of Wordpress (3.5.1). The exploit works by sending 1,000+ auth attempts per request to xmlrpc.php in order to "brute force" valid Wordpress users and will iterate through whole wordlists until a valid user response is acquired. It will then selectively acquire and display the valid username and password to login.
Expected results:
The password can be bruteforced
|
||
Updated•8 years ago
|
Component: Other → WebOps: Blogs
Product: Websites → Infrastructure & Operations
Is my bug report valid?I haven't recieved a reply from bugzilla yet..
|
Assignee | |
Updated•8 years ago
|
Group: websites-security
|
||
Comment 2•8 years ago
|
||
This is a known issue, which has been raised in multiple reports and we have raised with WPEngine. WpEngine claims to have built in protections for XMLRPC issues described above, so unless an actual account has been brute-forced, I would recommend a won't fix for this one.
|
|
Assignee | |
Comment 3•8 years ago
|
||
Thank you for the prompt response, Jonathan. Assuming this bug is the same one described in CVE-2013-0235, it is scoped to versions 3.5.1 and earlier, which we are not running today.
ashiksn, I wanted to send you an apology and let you know that we do value reports like this. My team was not actively monitoring the queue that this was reported to which allowed it to go so long without a response. If you have any additional information or questions about this, please let us know. You can always re-open this bug if needed. I would encourage you to use the "Need more information" function below if you don't see a timely response from one of us.
Assignee: nobody → dhartnell
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(ashiksn369)
Resolution: --- → WONTFIX
|
|
Assignee | |
Updated•8 years ago
|
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/5521]
|
||
Updated•7 years ago
|
Group: websites-security
Resolution: WONTFIX → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•