WordPress CVE-2018-6389 – DoS

There is a DoS vulnerability in all WP installations. It is hidden in the load-scripts.php and load-styles.php files. Their purpose is to combine scripts and styles in the administration to load the admin faster.

You can ask them to combine a huge amount of files, the result will be a huge load and it may kill your webserver.

There is an unofficial patch or you can limit the size of requests for load scripts:

For Apache

RewriteCond %{REQUEST_URI} ^/+wp-admin/+load-(scripts|styles)\.php$

RewriteCond %{QUERY_STRING} load\[\]=(.{800,})$

RewriteRule ^(.*)$  – [F,L]

view raw
CVE-2018-6389.htaccess
hosted with ❤ by GitHub

For Nginx

#block load-scripts|styles.php requests with long argument list

#CVE-2018-6389 impact mitigation

if ($request_uri ~* "^/+wp-admin/+load-(scripts|styles)\.php\?.{800,}$"){

    return 403;

}

view raw
CVE-2018-6389.conf
hosted with ❤ by GitHub

Question is: Do you still need it in the age of HTTP/2?

Posts

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (Address never made public)

Name

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Google account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

	RewriteCond %{REQUEST_URI} ^/+wp-admin/+load-(scripts\|styles)\.php$
	RewriteCond %{QUERY_STRING} load\[\]=(.{800,})$
	RewriteRule ^(.*)$ – [F,L]

	#block load-scripts\|styles.php requests with long argument list
	#CVE-2018-6389 impact mitigation
	if ($request_uri ~* "^/+wp-admin/+load-(scripts\|styles)\.php\?.{800,}$"){
	return 403;
	}

Share this:

Like this:

Leave a Reply Cancel reply