Use limit_req to address load-scripts/styles.php issue CVE-2018-6389


#1

Hi all,

While some call the issue reported on https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html a “DoS vulnerability” and others (read Automattic) an “extensive resource exhaustion attack” (making the discussion about where/who should fix this), I think we can agree that it proves it is very easy to overload and crash a small or even medium sized VPS running WordPress.

Seeing as Automattic does not seem inclined to address it (not even by limiting the number of scripts that can be concatenated in one request?) I would suggest it’s up to Easy Engine to prevent resource exhaustion…

I’m currently testing this additional rule in my /etc/nginx/common/wpcommon-php7.conf file:

# limit access to avoid resource exhaustion attack CVE-2018-6389
location = /wp-admin/load-(scripts|styles).php {
      limit_req zone=one burst=3 nodelay;
      include fastcgi_params;
      fastcgi_pass php7;
}

Zone “one” allows for 1 request per second plus the additional “burst” of 3 with the nodelay flag allows a total of 4 requests the first second. Each new request following each second will be honored while more requests (from the same IP) will be dropped.

A typical admin page generates 1 requests for /wp-admin/load-styles.php and 2 for /wp-admin/load-scripts.php but there are some admin pages that generate 4 such requests in total. Or at least as far as I have seen… This means normal normal browsing of the admin pages (not more than one page per second) should be fine with this rule.

However, it might be too strict since (I suppose) a user could cause a double load of the same page or actively open multiple admin pages in different browser tabs at the same time… Not sure if upping the burst value would help or if a new limit_request zone with looser rate limit would be better.

Any thoughts?


#2

Oww chucks… the location directive with = operator does not accept regular expression. This means the above did not even have any effect as the rule is ignored and surpassed by the general location ~ .php$ rule. Requests were not limited at all.

The rules in wpcommon should be like this:

# limit access to avoid resource exhaustion attack CVE-2018-6389
location = /wp-admin/load-scripts.php {
  limit_req zone=one burst=3 nodelay;
  include fastcgi_params;
  fastcgi_pass php7;
}
location = /wp-admin/load-styles.php {
  limit_req zone=one burst=3 nodelay;
  include fastcgi_params;
  fastcgi_pass php7;
}

#3

Created pull request https://github.com/EasyEngine/easyengine/pull/959


#4