CO4509 Computer Security Assignment 2: WordPress CVE-2019-17669 Report
VerifiedAdded on 2022/08/21
|15
|3960
|12
Report
AI Summary
This report provides a comprehensive analysis of WordPress CVE-2019-17669, a Server Side Request Forgery (SSRF) vulnerability. It begins with an overview of WordPress, describing its functionalities, architecture, and common uses. The report then delves into the specifics of CVE-2019-17669, explaining how the SSRF vulnerability works and how it can be exploited. It also discusses the potential impact of the exploit. Furthermore, the report explores various solutions and mitigation strategies to defend against this vulnerability, including software updates, security plugins, and configuration changes. The report concludes with an analysis of the likely future importance and effectiveness of CVE-2019-17669, considering its impact on web application security and the ongoing efforts to address such vulnerabilities. The report also includes a discussion on the vulnerability of wordpress, CVE-2019-17669 has been briefly described in this report. The most appropriate solutions for this exploit has been briefly described in this report. An analysis of the probable future importance as well as the effectiveness of the CVE-2019-17669 has been provided briefly described in this report.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: CO4509 - COMPUTER SECURITY
CO4509 - COMPUTER SECURITY
Name of student
Name of university
Author’s note:
CO4509 - COMPUTER SECURITY
Name of student
Name of university
Author’s note:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1
CO4509 - COMPUTER SECURITY
Table of Contents
Introduction....................................................................................................................2
Discussion......................................................................................................................2
Description of wordpress...........................................................................................2
Vulnerabilities of Wordpress.................................................................................4
Description of CVE-2019-17669...............................................................................6
Description of the solutions to this exploit................................................................8
Analysis of future importance and the effectiveness of CVE-2019-17669...............9
Conclusion....................................................................................................................10
References....................................................................................................................11
CO4509 - COMPUTER SECURITY
Table of Contents
Introduction....................................................................................................................2
Discussion......................................................................................................................2
Description of wordpress...........................................................................................2
Vulnerabilities of Wordpress.................................................................................4
Description of CVE-2019-17669...............................................................................6
Description of the solutions to this exploit................................................................8
Analysis of future importance and the effectiveness of CVE-2019-17669...............9
Conclusion....................................................................................................................10
References....................................................................................................................11
2
CO4509 - COMPUTER SECURITY
Introduction
Wordpress could be considered as the content management system that is mainly
based on MySQL and PHP and it is commonly utilised within the database servers of
MariaDB or MySQL but it could also use the SQLite database engine. This report intends to
discuss the software and its various functionalities. The vulnerability of wordpress, CVE-
2019-17669 has been briefly described in this report. The most appropriate solutions for this
exploit has been briefly described in this report. An analysis of the probable future
importance as well as the effectiveness of the CVE-2019-17669 has been provided briefly
described in this report. Lastly, this report concludes with an appropriate conclusion.
Discussion
Description of wordpress
Wordpress could be considered as the content management system that is mainly
based on MySQL and PHP and it is commonly utilised within the database servers of
MariaDB or MySQL but it could also use the SQLite database engine (Rodas-Silva et al.
2019). The main features of the Wordpress involves plugin architecture and the template
system that is referred to the inside Wordpress as the themes. The creation of wordpress was
originally done as the blog-publishing service but in the recent times it has evolved for
supporting the various kinds of web content that includes the conventional mailing sites as
well as the forums, membership sites, media galleries, learning management system as well
as the online stores. Wordpress is presently considered as the most popular content
management system solution that is presently being used for the various purposes (Jones
2018). Wordpress is also been utilised for various kinds of application domains like the
pervasive display systems. For appropriately functioning, Wordpress is required to be
installed primarily on the web server, either as the section of the internet hosting service like
CO4509 - COMPUTER SECURITY
Introduction
Wordpress could be considered as the content management system that is mainly
based on MySQL and PHP and it is commonly utilised within the database servers of
MariaDB or MySQL but it could also use the SQLite database engine. This report intends to
discuss the software and its various functionalities. The vulnerability of wordpress, CVE-
2019-17669 has been briefly described in this report. The most appropriate solutions for this
exploit has been briefly described in this report. An analysis of the probable future
importance as well as the effectiveness of the CVE-2019-17669 has been provided briefly
described in this report. Lastly, this report concludes with an appropriate conclusion.
Discussion
Description of wordpress
Wordpress could be considered as the content management system that is mainly
based on MySQL and PHP and it is commonly utilised within the database servers of
MariaDB or MySQL but it could also use the SQLite database engine (Rodas-Silva et al.
2019). The main features of the Wordpress involves plugin architecture and the template
system that is referred to the inside Wordpress as the themes. The creation of wordpress was
originally done as the blog-publishing service but in the recent times it has evolved for
supporting the various kinds of web content that includes the conventional mailing sites as
well as the forums, membership sites, media galleries, learning management system as well
as the online stores. Wordpress is presently considered as the most popular content
management system solution that is presently being used for the various purposes (Jones
2018). Wordpress is also been utilised for various kinds of application domains like the
pervasive display systems. For appropriately functioning, Wordpress is required to be
installed primarily on the web server, either as the section of the internet hosting service like
3
CO4509 - COMPUTER SECURITY
Wordpress.com or any computer executing software package Wordpress.org for serving as
the network in their respective right. Any particular local computer could effectively be used
for the single-user testing as well as the purposes of learning (Messenlehner and Coleman
2019).
Wordpress has been considered as the factory that is used in the modern times for
making various kinds of webpages, and it is the core analogy that has been designed for
clarifying various functions of Wordpress. It mainly stores the content and it also allows any
user in creating as well as publishing the webpages, needing nothing beyond the domain as
well as the hosting service. Wordpress comprises of the web template system by using the
template processor (Cabot 2018). The architecture of the Wordpress is the front controller,
that routes all the requests for the non-static URLs to any single PHP file that executes the
parsing of the URL and it also recognises their target page. It allows the supporting for the
increasingly human-readable permalinks. The users of Wordpress are provided with the
facility of installing as well as switching among the various themes provided by the software.
The users are provided with the functionality of the changing the main look of the Wordpress
website with the help of the themes deprived of altering the main code or the site content.
Each of the website of Wordpress mainly needs at least one theme in being present as well as
the designing of each of the themes is done with the help of the standards of Wordpress with
the structured PHP, the Cascading Style Sheets and the HyperText Markup Language or
HTML (Barnes 2017).
The plugin architecture of the Wordpress provides the users with the functionality of
extending the functionality as well as the features of any particular blog or website. Presently
Wordpress provides over 55,131 plugins that are available for using and each of the plugins
provides the custom functions as well as the features that allows the users in tailoring the sites
according the particular requirements (Filotrani 2018). Moreover, it does not involve the
CO4509 - COMPUTER SECURITY
Wordpress.com or any computer executing software package Wordpress.org for serving as
the network in their respective right. Any particular local computer could effectively be used
for the single-user testing as well as the purposes of learning (Messenlehner and Coleman
2019).
Wordpress has been considered as the factory that is used in the modern times for
making various kinds of webpages, and it is the core analogy that has been designed for
clarifying various functions of Wordpress. It mainly stores the content and it also allows any
user in creating as well as publishing the webpages, needing nothing beyond the domain as
well as the hosting service. Wordpress comprises of the web template system by using the
template processor (Cabot 2018). The architecture of the Wordpress is the front controller,
that routes all the requests for the non-static URLs to any single PHP file that executes the
parsing of the URL and it also recognises their target page. It allows the supporting for the
increasingly human-readable permalinks. The users of Wordpress are provided with the
facility of installing as well as switching among the various themes provided by the software.
The users are provided with the functionality of the changing the main look of the Wordpress
website with the help of the themes deprived of altering the main code or the site content.
Each of the website of Wordpress mainly needs at least one theme in being present as well as
the designing of each of the themes is done with the help of the standards of Wordpress with
the structured PHP, the Cascading Style Sheets and the HyperText Markup Language or
HTML (Barnes 2017).
The plugin architecture of the Wordpress provides the users with the functionality of
extending the functionality as well as the features of any particular blog or website. Presently
Wordpress provides over 55,131 plugins that are available for using and each of the plugins
provides the custom functions as well as the features that allows the users in tailoring the sites
according the particular requirements (Filotrani 2018). Moreover, it does not involve the
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4
CO4509 - COMPUTER SECURITY
premium plugins, which are presently available, that might not be listed in the repository of
the Wordpress.org. These particular customisations mainly range from the search engine
optimisation to the client portals that are presently used for displaying the private information
for logging in the users, for the content management system, for the content displaying
features like the addition of the widgets as well as the navigation bars. Not all the provided
plugins does includes the upgrades and as the result of this, it might not function
appropriately or might not even function totally (Avila et al. 2016). Majority of the plugins
are presently available through the Wordpress themselves, either with the downloading as
well as installing the files in manual manner through the FTP or using the dashboard or
Wordpress. Moreover, several third parties provide the plugins via the website and several of
them are the paid packages.
Before the 3rd version of this application, Wordpress mainly supported only one blog
per the installation, even though multiple concurrent copies might execute form the various
directories if it is configured for using the separate database tables (Hayashi et al. 2018). The
multisites of Wordpress was considered as the fork Wordpress that was created for allowing
the multiple blogs in existing within any particular installation but it had the functionality of
being administered by any specific maintainer.
Vulnerabilities of Wordpress
Several security issues are uncovered in this software, specifically around 2007, 2015
and 2008. As per the reports of Secunia, the wordpress release that was made in April 2009
comprised of the seven unpatched security advisiories with the rating of maximum of less
critical. An updated list of all the vulnerabilities discovered in this software is maintained by
Secunia. Around the time of January 2007, several blogs of high profile search engine
optimisation and several of the low-level commercial blogs that were featuring the AdSense
has been targeted as well as attacked with the exploit of Wordpress. The separate
CO4509 - COMPUTER SECURITY
premium plugins, which are presently available, that might not be listed in the repository of
the Wordpress.org. These particular customisations mainly range from the search engine
optimisation to the client portals that are presently used for displaying the private information
for logging in the users, for the content management system, for the content displaying
features like the addition of the widgets as well as the navigation bars. Not all the provided
plugins does includes the upgrades and as the result of this, it might not function
appropriately or might not even function totally (Avila et al. 2016). Majority of the plugins
are presently available through the Wordpress themselves, either with the downloading as
well as installing the files in manual manner through the FTP or using the dashboard or
Wordpress. Moreover, several third parties provide the plugins via the website and several of
them are the paid packages.
Before the 3rd version of this application, Wordpress mainly supported only one blog
per the installation, even though multiple concurrent copies might execute form the various
directories if it is configured for using the separate database tables (Hayashi et al. 2018). The
multisites of Wordpress was considered as the fork Wordpress that was created for allowing
the multiple blogs in existing within any particular installation but it had the functionality of
being administered by any specific maintainer.
Vulnerabilities of Wordpress
Several security issues are uncovered in this software, specifically around 2007, 2015
and 2008. As per the reports of Secunia, the wordpress release that was made in April 2009
comprised of the seven unpatched security advisiories with the rating of maximum of less
critical. An updated list of all the vulnerabilities discovered in this software is maintained by
Secunia. Around the time of January 2007, several blogs of high profile search engine
optimisation and several of the low-level commercial blogs that were featuring the AdSense
has been targeted as well as attacked with the exploit of Wordpress. The separate
5
CO4509 - COMPUTER SECURITY
vulnerability among one of web servers of the site of the project permitted the attacker in
introducing the exploitable code in form of the back door to several downloads of the
Wordpress 2.1.1. This particular release of the wordpress mainly addressed the issue; the
release of an advisory at the time advised all the users in upgrading the software instantly.
Around May 2007, a study conducted mainly discovered that almost 98% of the blogs of
Wordpress that were being executed were mainly exploitable as the blogs were mainly
executing the outdated as well as the unsupported versions of this particular software
(Beddoe and Bartley 2019). In the section of mitigating the issue in Wordpress, the updating
of the software was done that introduced the one click automated procedure. Moreover the
security settings of the filesystem needed the enabling of the procedure of updating that could
be considered as the additional risk.
In several of the analysis of the software in the modern times, it has been analysed
that the track record of the security issues of Wordpress is not good, and also cited the issues
with the architecture of the application that mainly made it significantly unnecessarily
difficult in writing the code that could be considered to be secure from the vulnerabilities of
the SQL injection and several other issues. Around June 2013, it has been discovered that
majority of the downloads, around 50 downloads of the plugins of Wordpress has been found
to be significantly vulnerable to the popular web attacks like the XSS as well as the SQL
injection. The separate inspection of top 10 eCommerce plugins has discovered that almost
all of them were significantly vulnerable. In the effort of promoting the improved security
measures as well as for streamlining the most updated experience in total, the automatic
background updates has been introduced in the version 3.7 of Wordpress. The individual
installation of the Wordpress could be effectively protected with the security plugins that
helps in preventing the User enumeration, thwart the probes as well as hide the resources.
The users could also provide extensive protection to the installation of the wordpress
CO4509 - COMPUTER SECURITY
vulnerability among one of web servers of the site of the project permitted the attacker in
introducing the exploitable code in form of the back door to several downloads of the
Wordpress 2.1.1. This particular release of the wordpress mainly addressed the issue; the
release of an advisory at the time advised all the users in upgrading the software instantly.
Around May 2007, a study conducted mainly discovered that almost 98% of the blogs of
Wordpress that were being executed were mainly exploitable as the blogs were mainly
executing the outdated as well as the unsupported versions of this particular software
(Beddoe and Bartley 2019). In the section of mitigating the issue in Wordpress, the updating
of the software was done that introduced the one click automated procedure. Moreover the
security settings of the filesystem needed the enabling of the procedure of updating that could
be considered as the additional risk.
In several of the analysis of the software in the modern times, it has been analysed
that the track record of the security issues of Wordpress is not good, and also cited the issues
with the architecture of the application that mainly made it significantly unnecessarily
difficult in writing the code that could be considered to be secure from the vulnerabilities of
the SQL injection and several other issues. Around June 2013, it has been discovered that
majority of the downloads, around 50 downloads of the plugins of Wordpress has been found
to be significantly vulnerable to the popular web attacks like the XSS as well as the SQL
injection. The separate inspection of top 10 eCommerce plugins has discovered that almost
all of them were significantly vulnerable. In the effort of promoting the improved security
measures as well as for streamlining the most updated experience in total, the automatic
background updates has been introduced in the version 3.7 of Wordpress. The individual
installation of the Wordpress could be effectively protected with the security plugins that
helps in preventing the User enumeration, thwart the probes as well as hide the resources.
The users could also provide extensive protection to the installation of the wordpress
6
CO4509 - COMPUTER SECURITY
software by introducing the stages like keeping all installation of the Wordpress, plugins as
well as the themes significantly updated, with the help of the trusted plugins as well as the
themes, editing the .htaccess configuration file of the site if it is supported by any web server
for preventing several kinds of SQL injection attacks as well as block the unauthorised access
to all the sensitive files that are present in the system (Perry 2018). It has been considered to
be specifically crucial in keeping the plugins of Wordpress always updated because the
would-be hackers could easily list each of the plugins that are used by any site, and then
execute the scans discovering for any kind of vulnerabilities against the particular plugins. If
the discovery of plugins is done, it might be exploited for allowing the hackers in uploading
their respective files that helps in collecting the sensitive information.
Various tools are used by the developers for analysing any potential vulnerabilities
that incudes the WPScan, WordPress Auditor as well as WordPress Sploit Framework. These
kinds of tools mainly help in researching the known vulnerabilities like LFI, CSRF, XSS,
SQL injection as well as the user enumeration. Moreover, all the vulnerabilities could not be
detected with the help of tools, and therefore it has been recommended by several researchers
that the codes on the plugins are required to be checked constantly as well as any other add-
ins are required to be monitored from any other developers.
Description of CVE-2019-17669
This particular vulnerability has been discovered in the wordpress version before
5.2.4. Wordpress prior 5.2.4 includes the Server Side Request Forgery vulnerability due to
the fact that the validation do not consider the main interpretation of the name as the series of
the hex characters (Nvd.nist.gov, 2020). Server Side Request Forgery could be considered as
the vulnerability in the web security that permits any user in inducing the server side
application in making the HTTP requests for any arbitrary domain of choosing of the
application. In the particular examples of Server Side Request Forgery, attackers may cause
CO4509 - COMPUTER SECURITY
software by introducing the stages like keeping all installation of the Wordpress, plugins as
well as the themes significantly updated, with the help of the trusted plugins as well as the
themes, editing the .htaccess configuration file of the site if it is supported by any web server
for preventing several kinds of SQL injection attacks as well as block the unauthorised access
to all the sensitive files that are present in the system (Perry 2018). It has been considered to
be specifically crucial in keeping the plugins of Wordpress always updated because the
would-be hackers could easily list each of the plugins that are used by any site, and then
execute the scans discovering for any kind of vulnerabilities against the particular plugins. If
the discovery of plugins is done, it might be exploited for allowing the hackers in uploading
their respective files that helps in collecting the sensitive information.
Various tools are used by the developers for analysing any potential vulnerabilities
that incudes the WPScan, WordPress Auditor as well as WordPress Sploit Framework. These
kinds of tools mainly help in researching the known vulnerabilities like LFI, CSRF, XSS,
SQL injection as well as the user enumeration. Moreover, all the vulnerabilities could not be
detected with the help of tools, and therefore it has been recommended by several researchers
that the codes on the plugins are required to be checked constantly as well as any other add-
ins are required to be monitored from any other developers.
Description of CVE-2019-17669
This particular vulnerability has been discovered in the wordpress version before
5.2.4. Wordpress prior 5.2.4 includes the Server Side Request Forgery vulnerability due to
the fact that the validation do not consider the main interpretation of the name as the series of
the hex characters (Nvd.nist.gov, 2020). Server Side Request Forgery could be considered as
the vulnerability in the web security that permits any user in inducing the server side
application in making the HTTP requests for any arbitrary domain of choosing of the
application. In the particular examples of Server Side Request Forgery, attackers may cause
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
CO4509 - COMPUTER SECURITY
server in making the connection back to themselves or any other web-based services within
the infrastructure of the organisation or for any particular external systems of third parties. In
the Server Side Request Forgery attack, any attacker could abuse the functionality on any
server for reading or updating the internal resources (Sanchez-Rola, Balzarotti and Santos
2019). The URL could be provided or even modified by the attacker that would be read or
submitted data to by the server on the code and then cautiously choosing the URLs, attackers
might be able in reading the server configuration like the AWS metadata, connect to the
internal services like the http enabled databases or even perform the post requests towards the
internal services that are not considered to be exposed. Server Side Request Forgery
vulnerabilities allows any attacker in sending the crafted requests from back-end server of the
vulnerable Wordpress application. The criminals commonly utilise the SSRF attacks for
targeting the internal systems that are mainly behind the firewalls and they are not mainly
accessible from any external network. Any attacker might also leverage the SSRF for
accessing the services that are available using the loopback interface of exploited server (Patil
et al. 2019). The Server Side Request Forgery vulnerabilities mainly occurs when any
attacker has the complete or even the partial control of all the request that are sent by
Wordpress software. The common example could be considered when any attacker could
control any system of third party service URL for which the request has been made by the
application. The attackers could utilise the Server Side Request Forgery attacks for making
the requests for the other internal resources that any web server could have the access to that
are not presently available. In some situations, some of the application might allow any
attacker in using the exotic URL schemas (Semastin et al. 2018).
Any successful Server Side Request Forgery attack could frequently result in the
unauthorised access or the action to the data within any organisation, either in vulnerable
application itself or any other back-end systems, which could make an effective
CO4509 - COMPUTER SECURITY
server in making the connection back to themselves or any other web-based services within
the infrastructure of the organisation or for any particular external systems of third parties. In
the Server Side Request Forgery attack, any attacker could abuse the functionality on any
server for reading or updating the internal resources (Sanchez-Rola, Balzarotti and Santos
2019). The URL could be provided or even modified by the attacker that would be read or
submitted data to by the server on the code and then cautiously choosing the URLs, attackers
might be able in reading the server configuration like the AWS metadata, connect to the
internal services like the http enabled databases or even perform the post requests towards the
internal services that are not considered to be exposed. Server Side Request Forgery
vulnerabilities allows any attacker in sending the crafted requests from back-end server of the
vulnerable Wordpress application. The criminals commonly utilise the SSRF attacks for
targeting the internal systems that are mainly behind the firewalls and they are not mainly
accessible from any external network. Any attacker might also leverage the SSRF for
accessing the services that are available using the loopback interface of exploited server (Patil
et al. 2019). The Server Side Request Forgery vulnerabilities mainly occurs when any
attacker has the complete or even the partial control of all the request that are sent by
Wordpress software. The common example could be considered when any attacker could
control any system of third party service URL for which the request has been made by the
application. The attackers could utilise the Server Side Request Forgery attacks for making
the requests for the other internal resources that any web server could have the access to that
are not presently available. In some situations, some of the application might allow any
attacker in using the exotic URL schemas (Semastin et al. 2018).
Any successful Server Side Request Forgery attack could frequently result in the
unauthorised access or the action to the data within any organisation, either in vulnerable
application itself or any other back-end systems, which could make an effective
8
CO4509 - COMPUTER SECURITY
communication with the applications. In some of the situations, the Server Side Request
Forgery vulnerability might allow any particular attacker in performing the arbitrary
command execution through the Wordpress software. The main sector that is exploited by the
Server Side Request Forgery is causing the connections to any external third party systems
that may lead to the malicious onward attackers that seems to be originating from any
organisation that are hosting the vulnerable wordpress software, resulting to the potential
legal liabilities as well as the damage to the reputation of the organisation (Johns, SAP 2019).
The main target application might possess the functionality for the importing of data from
any URL, publishing the data to any particular URL or even reading the data from any URL
that could be tampered with. The calls to this functionality is modified by the attacker by the
supply of totally different URL or even manipulating the methods by which the development
of the URL is done. When any manipulation request enters the server, server side mainly
code picks all the manipulation URL as well as intends in reading the data to manipulated
URL (Gupta and Gola 2016). By the selection of target URLs, any attacker might have the
chance of reading the data from any of the services that are presently directly exposed on
internet.
Description of the solutions to this exploit
The most common solution for this exploit in the Wordpress software is the effective
detection of the attack and introducing the preventive measures. For automatically detecting
the server side request forgery vulnerability in wordpress, there is the major requirement of
depending on the intermediary services. The detection of these kind of vulnerabilities needs
the accurate and robust time-delay vector. These third party intermediaries could detect the
possible exploitation point and introduce the preventive measures for ensuring that the attack
on the application is not executed successfully. During the scanning phase, the intermediaries
makes the requests that mainly contains their unique URL (Lo et al. 2019). If the software
CO4509 - COMPUTER SECURITY
communication with the applications. In some of the situations, the Server Side Request
Forgery vulnerability might allow any particular attacker in performing the arbitrary
command execution through the Wordpress software. The main sector that is exploited by the
Server Side Request Forgery is causing the connections to any external third party systems
that may lead to the malicious onward attackers that seems to be originating from any
organisation that are hosting the vulnerable wordpress software, resulting to the potential
legal liabilities as well as the damage to the reputation of the organisation (Johns, SAP 2019).
The main target application might possess the functionality for the importing of data from
any URL, publishing the data to any particular URL or even reading the data from any URL
that could be tampered with. The calls to this functionality is modified by the attacker by the
supply of totally different URL or even manipulating the methods by which the development
of the URL is done. When any manipulation request enters the server, server side mainly
code picks all the manipulation URL as well as intends in reading the data to manipulated
URL (Gupta and Gola 2016). By the selection of target URLs, any attacker might have the
chance of reading the data from any of the services that are presently directly exposed on
internet.
Description of the solutions to this exploit
The most common solution for this exploit in the Wordpress software is the effective
detection of the attack and introducing the preventive measures. For automatically detecting
the server side request forgery vulnerability in wordpress, there is the major requirement of
depending on the intermediary services. The detection of these kind of vulnerabilities needs
the accurate and robust time-delay vector. These third party intermediaries could detect the
possible exploitation point and introduce the preventive measures for ensuring that the attack
on the application is not executed successfully. During the scanning phase, the intermediaries
makes the requests that mainly contains their unique URL (Lo et al. 2019). If the software
9
CO4509 - COMPUTER SECURITY
receives any request on any one of the unique URLs, it then sends the notification back to the
third party company and from there an alert of possible server side request forgery is issued.
The alert that has been issues mainly involves the information regarding any HTTP request. It
involves all the IP address of the server that has request and User-Agent string that has been
used within the request. This particular information could assist the developers in identifying
the main sources of the issue and then provide the solutions for solving it. The simple
blacklists as well as the regular expressions that are applied to any user input could be
considered as the bad approach for mitigating the server side request forgery (Agnihotri and
Patidar 2019). Commonly, the blacklists are the poor methods of implementing the security
controls. The attackers could easily discover the methods of bypassing the implemented
security controls. In this situation, any attacker could use the HTTP redirect, any wildcard
DNS service like xip.io or even the alternate IP encoding.
In the present times, the most robust method of avoiding the Server side request
forgery that could be executed using Wordpress is the whitelisting of DNS name or the IP
address that is required by the wordpress application for accessing (Johnson, Cloudflare
2019). If any whitelist approach in not suited by any individuals and it is required that the
blacklist is the only solution, it is crucial that validation of the input from user is done
properly and appropriately. For an instance, the requests on the private IP addresses should
not be allowed. For preventing the leaking of response data to any attacker, it is required to
be effectively ensured that all the received response is similar to what was expected. Under
no situation, the delivery of the raw response body from the request sent by any server to the
client should be done. As the application Wordpress mainly uses the HTTPS or HTTP for
making the requests, these kind of URL schemas is required to be allowed. If the unused
URL schemas has been disabled, the attacker would not be able to utilise the web application
for making the requests utilising any probably dangerous schemas.
CO4509 - COMPUTER SECURITY
receives any request on any one of the unique URLs, it then sends the notification back to the
third party company and from there an alert of possible server side request forgery is issued.
The alert that has been issues mainly involves the information regarding any HTTP request. It
involves all the IP address of the server that has request and User-Agent string that has been
used within the request. This particular information could assist the developers in identifying
the main sources of the issue and then provide the solutions for solving it. The simple
blacklists as well as the regular expressions that are applied to any user input could be
considered as the bad approach for mitigating the server side request forgery (Agnihotri and
Patidar 2019). Commonly, the blacklists are the poor methods of implementing the security
controls. The attackers could easily discover the methods of bypassing the implemented
security controls. In this situation, any attacker could use the HTTP redirect, any wildcard
DNS service like xip.io or even the alternate IP encoding.
In the present times, the most robust method of avoiding the Server side request
forgery that could be executed using Wordpress is the whitelisting of DNS name or the IP
address that is required by the wordpress application for accessing (Johnson, Cloudflare
2019). If any whitelist approach in not suited by any individuals and it is required that the
blacklist is the only solution, it is crucial that validation of the input from user is done
properly and appropriately. For an instance, the requests on the private IP addresses should
not be allowed. For preventing the leaking of response data to any attacker, it is required to
be effectively ensured that all the received response is similar to what was expected. Under
no situation, the delivery of the raw response body from the request sent by any server to the
client should be done. As the application Wordpress mainly uses the HTTPS or HTTP for
making the requests, these kind of URL schemas is required to be allowed. If the unused
URL schemas has been disabled, the attacker would not be able to utilise the web application
for making the requests utilising any probably dangerous schemas.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10
CO4509 - COMPUTER SECURITY
Analysis of future importance and the effectiveness of CVE-2019-17669
With the detection of this vulnerability in Wordpress, the further releases ensured that
the software cannot be utilised for executing SSRF. All the security patches have been
implemented in the latest version of this software and it provides the strong platform to the
developers.
Conclusion
Therefore, it could be concluded from the above discussion that the CVE-2019-
17669, which is the Server Side Request Forgery vulnerability of Wordpress is significantly
dangerous and it leads to dangerous attack on the systems. Wordpress could be considered as
the content management system that is mainly based on MySQL and PHP and it is commonly
utilised within the database servers of MariaDB or MySQL but it could also use the SQLite
database engine. The main features of the Wordpress involves plugin architecture and the
template system that is referred to the inside Wordpress as the themes. Wordpress has been
considered as the factory that is used in the modern times for making various kinds of
webpages, and it is the core analogy that has been designed for clarifying various functions of
Wordpress. The plugin architecture of the Wordpress provides the users with the
functionality of extending the functionality as well as the features of any particular blog or
website. Wordpress prior 5.2.4 includes the Server Side Request Forgery vulnerability due to
the fact that the validation do not consider the main interpretation of the name as the series of
the hex characters. Server Side Request Forgery could be considered as the vulnerability in
the web security that permits any user in inducing the server side application in making the
HTTP requests for any arbitrary domain of choosing of the application. The most common
solution for this exploit in the Wordpress software is the effective detection of the attack and
introducing the preventive measures.
CO4509 - COMPUTER SECURITY
Analysis of future importance and the effectiveness of CVE-2019-17669
With the detection of this vulnerability in Wordpress, the further releases ensured that
the software cannot be utilised for executing SSRF. All the security patches have been
implemented in the latest version of this software and it provides the strong platform to the
developers.
Conclusion
Therefore, it could be concluded from the above discussion that the CVE-2019-
17669, which is the Server Side Request Forgery vulnerability of Wordpress is significantly
dangerous and it leads to dangerous attack on the systems. Wordpress could be considered as
the content management system that is mainly based on MySQL and PHP and it is commonly
utilised within the database servers of MariaDB or MySQL but it could also use the SQLite
database engine. The main features of the Wordpress involves plugin architecture and the
template system that is referred to the inside Wordpress as the themes. Wordpress has been
considered as the factory that is used in the modern times for making various kinds of
webpages, and it is the core analogy that has been designed for clarifying various functions of
Wordpress. The plugin architecture of the Wordpress provides the users with the
functionality of extending the functionality as well as the features of any particular blog or
website. Wordpress prior 5.2.4 includes the Server Side Request Forgery vulnerability due to
the fact that the validation do not consider the main interpretation of the name as the series of
the hex characters. Server Side Request Forgery could be considered as the vulnerability in
the web security that permits any user in inducing the server side application in making the
HTTP requests for any arbitrary domain of choosing of the application. The most common
solution for this exploit in the Wordpress software is the effective detection of the attack and
introducing the preventive measures.
11
CO4509 - COMPUTER SECURITY
CO4509 - COMPUTER SECURITY
12
CO4509 - COMPUTER SECURITY
References
Agnihotri, S. and Patidar, P., 2019. Preventions of Cross Site Request Forgery
Attack. International Journal of Engineering Science, 20047.
Avila, J., Sostmann, K., Breckwoldt, J. and Peters, H., 2016. Evaluation of the free, open
source software WordPress as electronic portfolio system in undergraduate medical
education. BMC medical education, 16(1), p.157.
Barnes, T., 2017. Wordpress for Beginners. CreateSpace Independent Publishing Platform.
Beddoe, L. and Bartley, A., 2019. http://socialworkresearchnz. wordpress. com. Image.
Cabot, J., 2018. WordPress: a content management system to Democratize publishing. IEEE
Software, 35(3), pp.89-92.
Filotrani, L.J., 2018. WordPress for Journalists: From Plugins to Commercialisation.
Routledge.
Gupta, J. and Gola, S., 2016. Server Side Protection Against Cross Site Request Forgery
Using CSRF Gateway. J Inform Tech Softw Eng, 6(182), p.2.
Hayashi, M., Bachelder, S., Tsuruta, N., Sasaki, K. and Kondo, K., 2018. Wordpress-based
Blog System with a Capability of Showing Entries by TV-program-like CG Animations.
In ADADA2018 (The 16th International Conference of Asia Digital Art and Design), 22-24
November 2018 in National Cheng Kung University, Taiwan.
Johns, M., SAP SE, 2019. Cross-site request forgery (CSRF) vulnerability detection. U.S.
Patent 10,505,966.
Johnson, E., Cloudflare Inc, 2019. Providing cross site request forgery protection at an edge
server. U.S. Patent Application 16/103,820.
CO4509 - COMPUTER SECURITY
References
Agnihotri, S. and Patidar, P., 2019. Preventions of Cross Site Request Forgery
Attack. International Journal of Engineering Science, 20047.
Avila, J., Sostmann, K., Breckwoldt, J. and Peters, H., 2016. Evaluation of the free, open
source software WordPress as electronic portfolio system in undergraduate medical
education. BMC medical education, 16(1), p.157.
Barnes, T., 2017. Wordpress for Beginners. CreateSpace Independent Publishing Platform.
Beddoe, L. and Bartley, A., 2019. http://socialworkresearchnz. wordpress. com. Image.
Cabot, J., 2018. WordPress: a content management system to Democratize publishing. IEEE
Software, 35(3), pp.89-92.
Filotrani, L.J., 2018. WordPress for Journalists: From Plugins to Commercialisation.
Routledge.
Gupta, J. and Gola, S., 2016. Server Side Protection Against Cross Site Request Forgery
Using CSRF Gateway. J Inform Tech Softw Eng, 6(182), p.2.
Hayashi, M., Bachelder, S., Tsuruta, N., Sasaki, K. and Kondo, K., 2018. Wordpress-based
Blog System with a Capability of Showing Entries by TV-program-like CG Animations.
In ADADA2018 (The 16th International Conference of Asia Digital Art and Design), 22-24
November 2018 in National Cheng Kung University, Taiwan.
Johns, M., SAP SE, 2019. Cross-site request forgery (CSRF) vulnerability detection. U.S.
Patent 10,505,966.
Johnson, E., Cloudflare Inc, 2019. Providing cross site request forgery protection at an edge
server. U.S. Patent Application 16/103,820.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
13
CO4509 - COMPUTER SECURITY
Jones, D., 2018. WordPress For Beginners: Tips and Tricks to Build a WordPress Website
Fast without Coding (Volume 2). CreateSpace Independent Publishing Platform.
Lo, L., Chao, C.Y., Yi, L., Uzcategui, L.A., Chang, J.Y.C. and Gandhi, R., International
Business Machines Corp, 2019. Guarding against cross-site request forgery (CSRF) attacks.
U.S. Patent 10,454,949.
Messenlehner, B. and Coleman, J., 2019. Building Web Apps with WordPress: WordPress as
an Application Framework. O'Reilly Media.
Nvd.nist.gov. (2020). NVD - CVE-2019-17669. [online] Available at:
https://nvd.nist.gov/vuln/detail/CVE-2019-17669 [Accessed 26 Jan. 2020].
Patil, A., Yadav, A., Krishnan, H. and Prasad, R., 2019. ANALYSIS OF CROSS SITE
REQUEST FORGERY ATTACK ON WEBKIT. IJRAR-International Journal of Research
and Analytical Reviews (IJRAR), 6(2), pp.145-155.
Perry, M., 2018. WordPress Website Owner's Manual 2018: The Illustrated User's Guide for
WordPress Websites and Blogs (Volume 2).
Rodas-Silva, J., Galindo, J.A., García-Gutiérrez, J. and Benavides, D., 2019. Selection of
software product line implementation components using recommender systems: An
application to Wordpress. IEEE Access, 7, pp.69226-69245.
Sanchez-Rola, I., Balzarotti, D. and Santos, I., 2019, December. BakingTimer: privacy
analysis of server-side request processing time. In Proceedings of the 35th Annual Computer
Security Applications Conference (pp. 478-488).
Semastin, E., Azam, S., Shanmugam, B., Kannoorpatti, K., Jonokman, M., Samy, G.N. and
Perumal, S., 2018. Preventive Measures for Cross Site Request Forgery Attacks on Web-
CO4509 - COMPUTER SECURITY
Jones, D., 2018. WordPress For Beginners: Tips and Tricks to Build a WordPress Website
Fast without Coding (Volume 2). CreateSpace Independent Publishing Platform.
Lo, L., Chao, C.Y., Yi, L., Uzcategui, L.A., Chang, J.Y.C. and Gandhi, R., International
Business Machines Corp, 2019. Guarding against cross-site request forgery (CSRF) attacks.
U.S. Patent 10,454,949.
Messenlehner, B. and Coleman, J., 2019. Building Web Apps with WordPress: WordPress as
an Application Framework. O'Reilly Media.
Nvd.nist.gov. (2020). NVD - CVE-2019-17669. [online] Available at:
https://nvd.nist.gov/vuln/detail/CVE-2019-17669 [Accessed 26 Jan. 2020].
Patil, A., Yadav, A., Krishnan, H. and Prasad, R., 2019. ANALYSIS OF CROSS SITE
REQUEST FORGERY ATTACK ON WEBKIT. IJRAR-International Journal of Research
and Analytical Reviews (IJRAR), 6(2), pp.145-155.
Perry, M., 2018. WordPress Website Owner's Manual 2018: The Illustrated User's Guide for
WordPress Websites and Blogs (Volume 2).
Rodas-Silva, J., Galindo, J.A., García-Gutiérrez, J. and Benavides, D., 2019. Selection of
software product line implementation components using recommender systems: An
application to Wordpress. IEEE Access, 7, pp.69226-69245.
Sanchez-Rola, I., Balzarotti, D. and Santos, I., 2019, December. BakingTimer: privacy
analysis of server-side request processing time. In Proceedings of the 35th Annual Computer
Security Applications Conference (pp. 478-488).
Semastin, E., Azam, S., Shanmugam, B., Kannoorpatti, K., Jonokman, M., Samy, G.N. and
Perumal, S., 2018. Preventive Measures for Cross Site Request Forgery Attacks on Web-
14
CO4509 - COMPUTER SECURITY
based Applications. International Journal of Engineering & Technology, 7(4.15), pp.130-
134.
CO4509 - COMPUTER SECURITY
based Applications. International Journal of Engineering & Technology, 7(4.15), pp.130-
134.
1 out of 15
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.