ItinerisLtd/trellis-cve-2018-6389

Mitigate CVE-2018-6389 WordPress load-scripts / load-styles attacks

trellis-cve-2018-6389

Mitigate CVE-2018-6389 WordPress load-scripts / load-styles attacks.

• Goal
• Why?
• Mitigation
• Why Not?
• Requirements
• Installation
  • Trellis
  • WordPress
• FAQs
  • Can I use this on managed hosting?
  • It looks awesome. Where can I find some more goodies like this?
  • This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?
• Alternatives
• Testing
  • Syntax Check
• Author Information
• Feedback
• Change log
• License

Goal

Deny all requests to wp-admin/load-scripts.php and wp-admin/load-styles.php by Nginx.

Why?

• How to DoS 29% of the World Wide Websites - CVE-2018-6389

TL;DR

it [WordPress] will use load-scripts.php (for JS) or load-styles.php (for CSS files) and the browser will get multiple JS/CSS files through a single request- so performance-wise it is better to do so and the page will load faster. This feature was designed only for the admin pages, but is also used on the wp-login.php page, so no authentication is enforced on these files.

-- How to DoS 29% of the World Wide Websites - CVE-2018-6389

# for example
https://example.com/wp/wp-admin/load-scripts.php?c=1&load[]=jquery-ui-core,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check

# same goes to https://example.com/wp/wp-admin/load-styles.php

A single request (no authentication required) could cause the server to perform >180 IO reads and concatenate all the files into a >4MB response. For small servers without proper firewalls and rate-limiting, this is enough to perform DoS attacks.

Mitigation

1. You should really use HTTPS. If you don’t, you shouldn’t have a web site in the first place.
2. When you use HTTPS, there’s no reason to not use HTTP/2.
3. With HTTP/2, there’s no need to concatenate your files. It is actually an anti-pattern.

-- How to mitigate CVE-2018-6389 – the load-scripts.php DoS "attack" in WordPress

• Tell WordPress not to use concatenation of JS and CSS files
• Deny all requests to load-scripts.php and load-styles.php

Why Not?

• All the comments from otto4242 in this reddit thread
• wfalaa's (Wordfence author) comments in this wp.org thread

Requirements

• Trellis 17c26fc or later
• Ansible v2.6 or later

Installation

Trellis

Add this role to requirements.yml:

# requirements.yml

- src: https://github.com/ItinerisLtd/trellis-cve-2018-6389
  version: 0.1.0 # Check for latest version!

Run the command:

➜ ansible-galaxy install -r requirements.yml --force

Add the role into dev.yml and server.yml, immediately after role: wordpress-setup:

roles:
  # some other Trellis roles ...
  - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] }
  - { role: trellis-cve-2018-6389, tags: [nginx, wordpress, wordpress-setup] }
  # some other Trellis roles ...

Then, re-provision as usual:

# https://roots.io/trellis/docs/local-development-setup/
➜ vagrant reload --provision

# https://roots.io/trellis/docs/remote-server-setup/
➜ ansible-playbook server.yml -e env=<environment>

WordPress

Disable concatenation:

# config/application.php OR wp-config.php OR equivalent

# normal OR outdated Bedrock:
define('CONCATENATE_SCRIPTS', false);

# Bedrock with roots/wp-config:
Config::define('CONCATENATE_SCRIPTS', false);

Then, deploy as usual:

# https://roots.io/trellis/docs/deploys/
➜ ./bin/deploy.sh <environment> <domain>

# or alternatively
➜ ansible-playbook deploy.yml -e "site=<domain> env=<environment>"

FAQs

Can I use this on managed hosting?

No, you can't use this on managed hosting such as Kinsta or WP Engine.

It's the hosting company's job to mitigate this kind of attacks.

It looks awesome. Where can I find some more goodies like this?

• Articles on Itineris' blog
• More projects on Itineris' GitHub profile
• Follow @itineris_ltd and @TangRufus on Twitter
• Hire Itineris to build your next awesome site

This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?

Thanks! Glad you like it. It's important to make my boss know somebody is using this project. Instead of giving reviews on wp.org, consider:

• tweet something good with mentioning @itineris_ltd
• star this Github repo
• watch this Github repo
• write blog posts
• submit pull requests
• hire Itineris

Alternatives

• How to mitigate CVE-2018-6389 – the load-scripts.php DoS "attack" in WordPress

Testing

Syntax Check

➜ ansible-playbook -i 'localhost,' --syntax-check tests/test.yml

Author Information

trellis-cve-2018-6389 is a Itineris Limited project created by Tang Rufus.

Special thanks to the Roots team whose Trellis make this project possible.

Full list of contributors can be found here.

Feedback

Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.

Change log

Please see CHANGELOG for more information on what has changed recently.

License

trellis-cve-2018-6389 is released under the MIT License.