A pingback vulnerability exists in the WordPress blogging platform that could leak information and lead to distributed denial of service (DDoS) attacks if the right script is run, according to web application security firm Acunetix.
A pingback is technically something blog owners rely on to track who and what is linking to their posts. When WordPress processes each pingback, the blog resolves the source URL and usually posts a comment that each blog entry has been referenced.
According to Acunetix’s Bogdan Calin, this particular vulnerability is exploitable through the platform’s XMLRPC API (through XMLRPC.PHP). Attackers could try and guess hosts inside each network they target, port scan those hosts, reconfigure internal routers and launch large scale DDoS attacks.
The vulnerability is being carried out autonomously by a new tool currently distributed on the software development site Github. That tool exposes the API and lets attackers scan other hosts, multiple WordPress blogs and with a specialized URL, reconfigure routers.
The flaw was first brought to WordPress’ attention more than six years ago in April 2007 but a ticket for the flaw was closed when a developer with the company claimed he wasn’t sure it was worth bothering with, adding then that there are “so many ways to orchestrate a DDoS.”
Calin notes that while there isn’t a fix for the vulnerability, the flaw has once again been brought to WordPress’ attention. The blog entry adds that even disabling pingbacks and trackbacks on blogs won’t fix the problem, so it seems a patch is inevitable at this point.
Automattic, the makers of WordPress, has experienced its fair share of security bugs in 2012. Automatic update malware was found infecting blogs in May, a handful of bogus themes left blogs open to cross-site scripting (XSS) attacks in October while just last week, WordPress sites, along with Joomla sites, were being targeted by iFrame injection attacks.