Simple CVE: CVE-2018-6389 protection

There’s a DoS problem with WordPress CMS and it won’t be fixed by it’s creators. I’ve decided to create a simple not intrusive solution for Apache hosted websites. Please click Continue reading for details.

Problem exists in load-scripts.php it simply joins scripts for admin panel. If you provide to many of them and request specially crafted URL to often your server may temporarily die…

To fix this issue simply limit URL length of a load-scripts.php request by using .htaccess directive in a root directory of the WordPress installation.

RewriteCond %{QUERY_STRING} ^.{1000,}$
RewriteRule ^wp-admin/load-scripts\.php$ - [F]

Place this after RewriteBase / or RewriteEgine On if you don’t have it. Attacker will get 403 error instead of jointed scripts.

Use exploit’s URL to test:

http://yourwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter&ver=4.9

My full .htaccess code:

RewriteEngine on

# BEGIN WordPress

RewriteEngine On
RewriteBase /

RewriteCond %{QUERY_STRING} ^.{1000,}$
RewriteRule ^wp-admin/load-scripts\.php$ - [F]

RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]


# END WordPress



Comments

0 responses to “Simple CVE: CVE-2018-6389 protection”

  1. John Alarcon Avatar

    Hi Konrad,

    This really should be fixed at the application (WordPress) level, but thanks for posting this. Just checking out your fix on localhost now.

    There’s a double ?? in the PoC URL above โ€“ this produces an object not found error. After correcting this, I find that the recommended .htaccess directives do not prevent the request.

    I’m not an .htaccess guru, but I’m presuming that these directives are intended to limit the query to 500 k/v pairs. Just a guess since the query is succeeding with nearly 3000 characters. I took the value down to 100, and the request failed:

    RewriteCond %{QUERY_STRING} ^.{100,}$
    RewriteRule ^wp-admin/load-scripts\.php$ – [F]

    However, note that the number 100 is completely arbitrary. This raises the question: how can we successfully determine a viable number given that each site’s (actual) script requirements aren’t identical?

    Thanks for any additional insights.

    1. Konrad Fedorczyk Avatar
      Konrad Fedorczyk

      Hi,
      After some tests I’ve found out that 500 chars aren’t enough for WordPress. Scripts were broken in post editor ๐Ÿ™ Original exploit code has 2666 chars (https://github.com/knqyf263/CVE-2018-6389) so I’m changing this trick to safe length of 1000.

      This is my full working .htaccess:

      RewriteEngine on
      # BEGIN WordPress

      RewriteEngine On
      RewriteBase /

      RewriteCond %{QUERY_STRING} ^.{1000,}$
      RewriteRule ^wp-admin/load-scripts\.php$ - [F]

      RewriteRule ^index\.php$ - [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]

      # END WordPress

  2. billy Avatar
    billy

    this did not work for me. I added the lines in my htaccess and ran the exploit again and still was the same.

    1. Konrad Fedorczyk Avatar
      Konrad Fedorczyk

      Hi,
      Maybe your host does not support these .htaccess directives?

  3. billy Avatar
    billy

    Maybe its because I am using litespeed ?

    1. Konrad Fedorczyk Avatar
      Konrad Fedorczyk

      Yes, I think this might be the problem ๐Ÿ™‚ I don’t really know Litespeed but I’ve found this in Google: OpenLitespeed cannot work with the .htaccess file, you need to configure it via web admin: Edit virtual host -> Rewrite

  4. billy Avatar
    billy

    ok i will see what i can do. thanks

  5. Fabrizio Avatar
    Fabrizio

    Great, works fine!
    Thank you so much!