Closed heldyboy closed 2 years ago
This is disabled in multiple different ways, but webpage is still accessible without 403 error.
Need to look into disabling this from config files on the web server.
In the WP-Config.php disabled directly XML-RPC, however no affect. Need to research.
Hi yes logged this on audit XML-RPC is still available, assuming most will now be done through REST API as XML-RPC is being phased out - so will resolve as critical
It may still be used by WP to buffer other automatic tools like Jetpack - so once disabled I will monitor and test through
@heldyboy , I checked in on azure, but for some reason my kelly@ducksoupdigital.co.uk account is not associated with it Can you send an invite again for me please to set SFTP
I have checked xmlrpc and have disabled on the development staging website with ease (just checked incase it was a plugin confliction) , but there is a file permissions issue on the live website which is why it is not disabling xmlrpc set.
@KellyDSD You should have another invite email in your email box.
@heldyboy I have checked and validate the xml-rpc status by following these methods mentioned in the below Link https://mediatemple.net/community/products/dv/360048950192/how-to-disable-xmlrpc.php-for-wordpress
Its currently disabled and here is the attached document
Can you please look in to this? We received the email last week from an Anonymous person. We don't know him however it might be interesting. Can you please investigate? Is this relevant for us? How to fix?
If you need access to the server directly, Brandon should be able to give you access.
Email Below
Hello Team I Gaurang Maheta found security issue in your system {HIGH}
What is XML-RPC ? XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include: Publish a post Edit a post Delete a post. Upload a new file (e.g. an image for a post) Get a list of comments Edit comments
The first thing to do now is Send a POST request and list all the available methods , why ? cause that’s how we’ll know which actions are even possible to make and potentially use one of them for an attack. TO list all methods Send a POST request with the following POST data,like shown in the picture,you’ll get a response with all the methods available
https://www.asrg.io/xmlrpc.php
Let me know if you need video poc i happy to share
Best Regards, Gaurang