DIGITAL SECURITY:

WORDPRESS

Name | Course Title | Date

-Contents –

1.Wordpress : A Complete Introduction

2.CVE-2019-17669 : A Brief Description

3. CVE-2019-17669 : Solution

4. CVE-2019-17669 : Brief Analysis

WordPress : A Complete Introduction

-WordPress is a free and open source ‘Content Management System’, which is written in
PHP language. It forms a semi backend of a website and can be paired with database
systems like MariaDB, Postgresql, etc. It has wide array of plugins, themes and widgets
which are helpful in developing. The availability of the WordPress is easy as user need
not pay for the basic functionalities of the software but the hosting providers are needed
for the application of enhanced features of the software. This includes the subscription
charges for the software (Trunde & Weippl, 2015).

-WordPress supports an important feature of “Plugin Architecture” and a “Template

System” , this makes a website appear more dynamic than before. These are called as
Themes in WordPress’ context.

-Originally, WordPress was used just for (static) Blogging or ‘blog-publishing system’
but it has now evolved to support other Web phenomena such as Forums, Media-
galleries, Membership platforms, and more like a platform management system for
learning (Cao et al., 2019).

-Since, high quality code has been included in the software which make it as one of the
best available SEO (Search Engine Optimization). This tends to improvise the visibility
of the relevant searches over the network. The SEO specifically for WordPress is helpful
in optimization of the website in effectful manner.

-WordPress’s availability is enhanced by providing different benefits in limited time.

Therefore, its management has become an easier task. The backups are taken remotely
with one plug in only and this has enhanced the output of the software. Updating the
website on WordPress has becomes an easier task.

-With the secure platforms and plug-ins there are chances that websites are protected
from different attacks. It is not easy for the intruders to access the data of the website

PAGE 1
because of availability of security mechanism. The protection against the threats needs to
be provided by the brute force attacks.

- Different media types like YouTube videos, Instagram photos, Tweets, and Soundcloud
can be brought into existence with the general pasting of the URL in post editor
(Fernandes & Vidyasagar, 2015). This enhances the different methods of eCommerce
through which popularity related to the business can be increased easily.

-Many online tutorials are being provided to the users so that better development
guidelines can be provided to the users. This has made easier for users to make use of the
WordPress in effective and positive manner. Thus, the awareness related to the
WordPress can be enhanced and better communication can be provided by the developers
between the clients

Themes: A Quick Recap

Themes allow users/us to change the appearance i.e. feel and look of the
WordPress website without actually manipulating the backend code or site content
completely. At least one is required to run a WordPress website. Any WordPress theme
should be built with a valid PHP, HTML and CSS standard. Themes can be directly
installed through the wp-admin dashboard or theme file may be directly copied into
themes directory. The themes are helpful in providing the technical support in such
manner that fast as well as comprehensive answers to the different problems is being
provided by the software. The themes compatibility with the WordPress is helpful in
regular updates and vulnerable as well as malicious attacks are avoided (Eshkevari et al.,
2014). The responsive design is helpful in enhancing the popularity of the website and
the responsive features helps the websites to gain more attention. It provides the unique
attributes to the different users which enhances their experience and provide different
look and feel for every website created through the WordPress. But the uniqueness
feature is provided to the premium members which pay for the services of the software.

Plugins: A Quick Recap

PAGE 2
 Plugins are the most important asset of a WordPress site. Plugin allows users to
extend the features of a website to support some more additional functionalities.
wordpress.org itself has over 58000 plugins, each made to achieve a specific task. There
are also some third-party plugins, which can be installed in a WordPress site. The biggest
benefit that can be achieved through WordPress plugins is the content that is needed for
SEO can be optimized easily which enhances the availability of the website for earning
profits. The integrated automated email marketing can be achieved by the company or the
users as this plugin itself displays the link of the website on different pages. It has
become easier for the companies to reach their potential users and spend additional
resources on the marketing (Ruohonen, 2019). The regular backups are being obtained by
the users without adding extra efforts by simply implementing the plugin. This backup
facility has enhanced the popularity of WordPress as it is helpful in enhancing the
capability of website. The membership areas can be created by the plugins which can
store the information of clients and get them accessed easily when ever needed. The live
chats can be added to the website through which companies can directly communicate
with their customers are resolve their problems on priority. The contact forms help to
acquire required information from the users.

Example of a Normal WordPress site :

In our current context, we are using WordPress V5.2

1 ) An Example blog :

PAGE 3
2 ) Website management dashboard ( Admin) :

3 ) User Management :

PAGE 4
4 ) Themes :

PAGE 5
CVE-2019-17669: A Brief Description

WordPress before version 5.2.4 has a Server Side Request Forgery (SSRF). The CVE is
helpful in providing standardized identifier so that vulnerability and exposure. This
allows the quick access information about problem that exist across the different
information sources. CVE helps to provide the better organizational security tools. This
helps to enhance the interoperability which has made it easy to enhance the security
algorithms of the company. Different codes can be developed using PHP so that security
can be enhanced and solution for various attacks can be enhanced. The reference method
can be used under CVE to enhance the properties of security (Ruohonen, 2019).

Here, the vulnerability occurs because URL validation does not consider the
interpretation of a ‘name’ as a hex characters.

This CVE scores a total of 9.8 (Critical) as its severity score

Here is the following PHP test code which was vulnerable to this SSRF attack:

else {
$ip = gethostbyname( $host );
if ( $ip === $host ) { // Error condition for gethostbyname()
# $ip = false;
return false;
}}
If take a look into the above code, the commented part was vulnerable, because the ip
variable was assigned as ‘false’ once the condition appears to be true.

Server Side Request Forgery: A Quick Recap

PAGE 6
This is an important type of vulnerability which affects/deals with an Application’s server
side. Here, the server is made to perform a request on its own behalf to itself or any other
host. The server side request forgery is a webs security vulnerability through which it is
allowed for an attacker to induce the server side application so that HTTP requests are
made for an arbitrary domain.

Let’s say we have a website which fetches a URL.

Eg. http://xyz.com/?u=http://othersite.com/image.png

Now, a Malicious attacker can manipulate this such that the server fetches its own host,
and request a path (Gupta & Gola, 2016).

So, http://xyz.com/?u=0.0.0.0/admin/dashboard/password.json

Here, 0.0.0.0 acts as a localhost and /admin/dashboard/password.json is the local path

which has sensitive information. Here, the application would not perform any
authentication(mostly) because it is fetching its own details.

The whitelisting of DNS name and IP address needs to be accessed by the application as
this can prevent the SSRF attack. The whitelist and blacklist are helpful in providing the
relevant data and is important for validating the input. Their exist blind SSRF
vulnerabilities that are helpful in inducing to issue a HTTP at back end and HTTP request
is made so that URL can be supplied. The response from the backend is not viewed by
the user which enhances the issues for the website and users. The web application that
causes the user’s web browser to perform an undesired action can be authenticated by the
user.

Working of the Exploit :

PAGE 7
The WordPress Admin dashboard consists of many input parameters, one of them being
the name parameter for host.

Now , a valid expected hostname could be http://xyz.com ,

But if we provide a host which relates with itself, such as http://localhost ,

http://127.0.0.1 , http://0.0.0.0 , http://1.1.1.1 , http://127.1 , etc. Then there are high
chances that the application will fetch/request its own system path, which is happening in
our current case (CVE-2019-17669).

So, there are many attack vectors unlocked after this one step. Now further attack can be
improved/narrowed down by performing eg. Port scanning by using http://0.0.0.0:8080
and determining the response time to see if the port is open or not, etc.

Hence, once our payload URL was supplied, the ‘ip’ variable was assigned to this ,
hence the server fetches its own path.

CVE-2019-17669 : Solution

Since the vulnerability was in the main backend PHP code itself, a security patch update
was released right after the vulnerability was privately reported.

WordPress also released the new version (5.2.4) which fixed various bugs including our
current SSRF vulnerability (Anderl et al., 2019).

Here is the patched update :

https://github.com/WordPress/WordPress/commit/608d39faed63ea212b6c6cdf9fe2bef92
e2120ea

PAGE 8
As we can see, extra validation is applied to the gethostbyname(); function.

Once the function detects that its IP is equal to its hostname, it immediately returns a
false condition, there by adding a certain level of security measure by validating the URL
.

Additionally, there should be a blacklisting mechanism to avoid certain types of Attacks

in future.

CVE-2019-17669 : A Brief Analysis

This CVE is all about URL validation, and how a small attack can be chained to certainly
a Devastating vulnerability. Gaining an SSRF vulnerability which certainly results a

PAGE 9
response (unlike blind SSRFs) helps this bug to increase its Impact more, and is likely to
compromise the whole System.

Effectiveness of CVE-2019-17669 :

As we discussed above, this CVE (for WordPress versions below 5.2.4) is likely to affect
the system. Hence, the Management teams are required to update the version to or above
5.2.4 which totally mitigates this vulnerability.

This CVE has a Score of 9.8 which is Critical. Hence the particular Input parameter (In
our case, ‘name’ parameter) should be thoroughly tested for multiple cases including :
SSRFs through URL encoding, Decimal encoding, Hexadecimal encoding, etc. which
resolve to localhost or similar destination host vector. They record the CVE list for the
common identifiers of the vulnerabilities and attacks which can have better advantages
over the reanalysis and final decisions related to the website development and attacks are
altered (Vu et al., 2020). The cybersecurity has obtained more importance as URL
validation does not consider the interpretation of the name as series of different hex
characters. Any Input Parameter which deals/fetches or requests a URL is likely to be
vulnerable to SSRF attack, which leads to our final discussion.

Future Importance of CVE-2019-17669 :

Our final result or conclusion based on this CVE is how input parameters are handled,
how they are processed and in case when they are compromised, how strong can the
Impact be ?

This CVE assures us that more the input parameters which process the user’s input value,
the more they are likely vulnerable to one or multiple vulnerabilities. Hence, for our
current SSRF context, a test case should be enumerated on multiple test parameters and
should be thoroughly discovered for further investigation. The future malware can exploit
the system to greater extent and need to obtain the attention of the developers and CVE-
2019-17669 can provide number of benefits by protecting the data from being breached

PAGE 10
and interpretation can be made (Moreira et al., 2021). The interpretations helps the
systems to protect from different attacks in the future.

PAGE 11
References

Anderl, C., Li, G., & Chen, F. (2019). Oral contraceptive use in adolescence predicts
lasting vulnerability to depression in adulthood. Journal Of Child Psychology
And Psychiatry, 61(2), 148-156. https://doi.org/10.1111/jcpp.13115

Cao, L., Ying Ou, J., & Chinaei, A. (2019). ENHANCING THE WORDPRESS
SYSTEM:FROM ROLE TO ATTRIBUTE-BASED ACCESS
CONTROL. International Journal Of Network Security & Its
Applications, 11(03), 01-19. https://doi.org/10.5121/ijnsa.2019.11301

Eshkevari, L., Antoniol, G., Cordy, J., & Di Penta, M. (2014). Identifying and locating
interference issues in PHP applications: the case of WordPress. Proceedings Of
The 22Nd International Conference On Program Comprehension - ICPC 2014.
https://doi.org/10.1145/2597008.2597153

Fernandes, S., & Vidyasagar, A. (2015). Digital Marketing and Wordpress. Indian

Journal Of Science And Technology, 8(S4), 61.
https://doi.org/10.17485/ijst/2015/v8is4/60375

Gupta, J., & Gola, S. (2016). Server Side Protection against Cross Site Request Forgery
using CSRF Gateway. Journal Of Information Technology & Software
Engineering, 6(3). https://doi.org/10.4172/2165-7866.1000182

Moreira, L., de Brito, M., & Kobiyama, M. (2021). Review article: A systematic review
and future prospects of flood vulnerability indices. Natural Hazards And Earth
System Sciences, 21(5), 1513-1530. https://doi.org/10.5194/nhess-21-1513-2021

Ruohonen, J. (2019). A Demand-Side Viewpoint to Software Vulnerabilities in

WordPress Plugins. Proceedings Of The Evaluation And Assessment On Software
Engineering. https://doi.org/10.1145/3319008.3319029

PAGE 12
Trunde, H., & Weippl, E. (2015). WordPress security. Proceedings Of The 17Th
International Conference On Information Integration And Web-Based
Applications & Services. https://doi.org/10.1145/2837185.2837195

Vu, P., Nguyen, T., & Nguyen, T. (2020). Fuzzy Multi-intent Classifier For User
Generated Software Documents. Proceedings Of The 2020 ACM Southeast
Conference. https://doi.org/10.1145/3374135.3385300

PAGE 13