Wordpress affected versionsWordpress versions prior to 4.0.1
- Guess usernames
- Perform a Denial of Service
In Wordpress, the way of calculating the password hash (MD5 with a salt) by using phpass results in the cpu resources being affected when really long passwords are provided.
Denial of service
- The DOS attack crashes the entire server because the RAM and swap is reached. Also the CPU is reached.
- The DOS attack crashes the database.
If the apache configuration is optimized and tuned to the hardware resources, we are able to reach all sessions available quickly and handle them for 30 seconds which performs a DOS without crashing the server or database.
Why did we say 30 seconds?
30 seconds is the maximum time a script is allowed to run before it is terminated by the parser. By default, max_execution_time value is set to 30 in the php.ini config. This helps prevent poorly written scripts from tying up the server.
How to fix
Proof of Concepthttp://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html
CVE InformationCVE-2014-9034 has been assigned to this vulnerability.