Sending an Idea to WordPress

Today, I sent an idea to wordpress to prevent XMLRPC pingback in better way. Below is my idea:

As we know, in March 2014, there are huge number (around 160.000, from sucuri blog) wordpress hosted site involved or used by attacker to attack other sites. Attacker success to exploit vulnerability of XMLRPC in WordPress. From there, I can see how WordPress Team release a new version. Sadly, the new release version only add 5 lines from old version in wp-includes/class-wp-xmlrpc-server.php (I compare between 3.8.1 and 3.8.2, after that I did not see any change in same file from your Security Release announcement). Those line has purpose to display IP of who request the XMLRPC pingback, not to prevent it.

Also, I can see there are many plugins, tutorial, how to disable XMLRPC pingback even some suggest to prevent XMLRPC itself. But I think we do not let some features loss because this kind issue. Of course we need to mitigate or prevent any security issue immediately, but in my opinion if we can fix security issue without losing some feature, then that is the best way to handle it. So here is my idea:

– create new table (called url_whitelist in wordpress with default empty. There is only 2 field which are id and url. This table will contain URL whitelist to where wordpress site can be allow to send pingback
– insert a line into wp-includes/class-wp-xmlrpc-server.php which query to table whitelist above compare to $pagelinkedfrom. If the URL is exist in table whitelist, then pingback may (depends of next check/control) allow to send, if not (remember its empty as default) then wordpress will not send pingback to any url (so we just prevent pingback from abuser or scanner tool but still allow wordpress send pingback to whitelisted URL)
– an interface in dashboard which allow admin to add whitelist url into table whitelist.

That is my idea. I am sorry for my english.

Thank you

Kalpin

If you like the idea, please vote it at https://wordpress.org/ideas/topic/a-better-way-to-prevent-xmlrpc-ping-back

Thank you

Posted in Umum | Leave a comment

[Update] WordPress 0day XSS Vulnerability

Buat teman-teman yang mempunyai website/blog menggunakan wordpress, diharapkan segera melakukan update ke wordpress terbaru 4.2.1 berhubung adanya vulnerability 0day XSS dimana penyerang bisa membuat komentar di post/page manapun dan menyisipkan script XSS yang bisa mendapatkan/eksekusi perintah di server.

Referensi bisa dilihat di https://wordpress.org/news/2015/04/wordpress-4-2-1/

Posted in IT, Security | 1 Comment

NAWALA Block Yahoo Email MX

Hari ini saya menerima laporan dari teman saya bahwa server emailnya tidak bisa mengirim email ke Yahoo (yang di coba yahoo.com, yang top level domain atau country level domain seperti yahoo.co.id, belum dicoba)  sementara ke email server tujuan lain misalnya gmail, dan lain-lain normal.

Awalnya saya curiga kalau IPnya kena blacklist, tetapi ternyata tidak. Kemudian saya lakukan testing manual dengan pengecekan best practice untuk troubleshoot email server:

1. Cek MX record Yahoo:
[email protected] [~]# host -t mx yahoo.com
yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.
2. Cek IP MX yang di dapat:
[email protected] [~]# host mta7.am0.yahoodns.net. 180.131.144.144
Using domain server:
Name: 180.131.144.144
Address: 180.131.144.144#53
Aliases:
mta7.am0.yahoodns.net has address 127.0.0.1
[email protected] [~]# host mta5.am0.yahoodns.net. 180.131.144.144
Using domain server:
Name: 180.131.144.144
Address: 180.131.144.144#53
Aliases:
mta5.am0.yahoodns.net has address 127.0.0.1

 

ternyata menggunakan DNS Nawala, MX record Yahoo dialihkan ke IP 127.0.0.1 (localhost), sementara kalau menggunakan DNS lain:

[email protected] [~]# host -t mx yahoo.com
yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.
[email protected] [~]# host mta7.am0.yahoodns.net.
mta7.am0.yahoodns.net has address 98.138.112.34
mta7.am0.yahoodns.net has address 98.138.112.38
mta7.am0.yahoodns.net has address 63.250.192.45
mta7.am0.yahoodns.net has address 63.250.192.46
mta7.am0.yahoodns.net has address 66.196.118.36
mta7.am0.yahoodns.net has address 66.196.118.240
mta7.am0.yahoodns.net has address 98.136.216.26
mta7.am0.yahoodns.net has address 98.138.112.32

Jadi NAWALA melakukan blocking terhadap host record MX yahoo.

 

Kemudian, saya coba laporkan ke nawala melalui situs mereka malah ada error kalau penjelasannya terlalu panjang (hasil pengecekan MX record dan DNS look up).

pelaporan-nawala-dibatasin

Bagi teman-teman admin khususnya yang mengelola email server dan menggunakan DNS Nawala sebagai resolver di email server mereka, harap dilakukan crosscheck.

 

Semoga bermanfaat

Posted in IT, SysAdmin | 1 Comment

Lalu Lintas Lebay (3L)

Ini contoh lalu lintas yang Lebay :)

image

Di perempatan RSUD Tarakan, Jakarta

Posted in Umum | Leave a comment

Testing XMLRPC

Testing enable xmlrpc secure. Can post from anywhere, anytime with xmlrpc.

Posted in Umum | Leave a comment