Simple CVE: CVE-2018-6389 protection

There’s a DoS problem with WordPress CMS and it won’t be fixed by it’s creators. I’ve decided to create a simple not intrusive solution for Apache hosted websites. Please click Continue reading for details.

Problem exists in load-scripts.php it simply joins scripts for admin panel. If you provide to many of them and request specially crafted URL to often your server may temporarily die…

To fix this issue simply limit URL length of a load-scripts.php request by using .htaccess directive in a root directory of the WordPress installation.

RewriteCond %{QUERY_STRING} ^.{1000,}$
RewriteRule ^wp-admin/load-scripts\.php$ - [F]

Place this after RewriteBase / or RewriteEgine On if you don’t have it. Attacker will get 403 error instead of jointed scripts.

Use exploit’s URL to test:

http://yourwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter&ver=4.9

My full .htaccess code:

RewriteEngine on

# BEGIN WordPress

RewriteEngine On
RewriteBase /

RewriteCond %{QUERY_STRING} ^.{1000,}$
RewriteRule ^wp-admin/load-scripts\.php$ - [F]

RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]


# END WordPress

Published by

Konrad Fedorczyk

Konrad Fedorczyk

I'm interested in programming and gamedev. I especially luv HTML5 and everything connected to web technologies.

8 thoughts on “Simple CVE: CVE-2018-6389 protection”

  1. Hi Konrad,

    This really should be fixed at the application (WordPress) level, but thanks for posting this. Just checking out your fix on localhost now.

    There’s a double ?? in the PoC URL above – this produces an object not found error. After correcting this, I find that the recommended .htaccess directives do not prevent the request.

    I’m not an .htaccess guru, but I’m presuming that these directives are intended to limit the query to 500 k/v pairs. Just a guess since the query is succeeding with nearly 3000 characters. I took the value down to 100, and the request failed:

    RewriteCond %{QUERY_STRING} ^.{100,}$
    RewriteRule ^wp-admin/load-scripts\.php$ – [F]

    However, note that the number 100 is completely arbitrary. This raises the question: how can we successfully determine a viable number given that each site’s (actual) script requirements aren’t identical?

    Thanks for any additional insights.

    1. Hi,
      After some tests I’ve found out that 500 chars aren’t enough for WordPress. Scripts were broken in post editor 🙁 Original exploit code has 2666 chars (https://github.com/knqyf263/CVE-2018-6389) so I’m changing this trick to safe length of 1000.

      This is my full working .htaccess:

      RewriteEngine on
      # BEGIN WordPress

      RewriteEngine On
      RewriteBase /

      RewriteCond %{QUERY_STRING} ^.{1000,}$
      RewriteRule ^wp-admin/load-scripts\.php$ - [F]

      RewriteRule ^index\.php$ - [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]

      # END WordPress

    1. Yes, I think this might be the problem 🙂 I don’t really know Litespeed but I’ve found this in Google: OpenLitespeed cannot work with the .htaccess file, you need to configure it via web admin: Edit virtual host -> Rewrite

Leave a Reply

Your email address will not be published. Required fields are marked *