Your menu link needs to be defined, & XLM-RPC is exposed

Hello @tamramc

I hope you’re well today and thank you for your question!

In Defender there’s an option to disable XML-RPS (and another one, related, to disable Trackbacks and Pingbacks). They are available via “Security Tweaks” of Defender. I understand that they are both applied to the site?

The file itself (xmlrpc.php) will be available but the question is if it actually accepts/responds to any requests. Was that checked? What did your investigators check exactly and what response(s) did they get?

Let me know, please.

2nd issue:
Menus at the bottom of your plugin need to be updated to correct links. (screenshot) https://drive.google.com/file/d/16-RAAH5WXAYUDuNOcha3vdmKP_1UathR/view?usp=sharing

Unfortunately, this link seems to be private so I can’t see the screenshot. Could you make it public and let us know here? Could you elaborate a bit more on this issue as well, please?

Kind regards,
Adam

oooh my bad, thought I made link public, which is usually first thing done. it is now. sorry about that.

Per this network admin from 185.220.70.155, with XML-RPC disabled, as well as all security tweaks set as recommend, and even .htaccess require all denied, he was able to access XML-RPC using Insomnia REST Client. It started from this hacking source 185.86.231.10. I noticed that file permissions were set to 744 — meaning read accessible, however, .htaccess again, set to require all denied.

• This reply was modified 4 years, 7 months ago by tamramc. Reason: clarity after typing w/o concentration ;-)

Hi @tamramc

Thank you for response!

I could confirm the issue with menu so I’ve already reported it to our developers and they’ll update the link in footer. Thank you for pointing it out.

As for the XML-RPC, since I don’t know your site I can’t check it but as I mentioned earlier – Defender doesn’t block access to the file itself. It will still respond to request but depending on request the response might be different. When called directly in browser it will say that only POST requests are allowed.

When a post request is done, the response might be different depending on the post so that’s why I asked for details of what they checked. The fact the did get the response is one thing but then the question is what exact request they sent and what response they get when they were testing it with this Insomnia REST Client.

Just t test it again on my own setup I did following thing:

– first I put this code in a “testrpc.php” file:

<?php 
    include("lib/xmlrpc.inc");
    $function_name = "wp.getAuthors";
    $url = "https://sitepoint.com/xmlrpc.php";
 
    $client = new xmlrpc_client($url);
    $client->return_type = "phpvals";
    $message = new xmlrpcmsg($function_name, array(new xmlrpcval(0, "int"), new xmlrpcval("username", "string"), new xmlrpcval("password", "string")));
    $resp = $client->send($message);
 
    if ($resp->faultCode()) echo 'KO. Error: '.$resp->faultString(); else foreach ($resp->val as $key => $value) {
        echo "User id: " . $value["user_id"];
        echo "<br><br>";
        echo "Username: " . $value["user_login"];
        echo "<br><br>";
        echo "Display name: " . $value["display_name"];
        echo "<br><br>";
    };
?>

[courtesy of SitePoint]

Then I’ve uploaded it to a folder on a server (on a location different than tested site (note: in the code above I’ve updated URL to point to my installation protected with Defender) and I’ve also downloaded PHPXMLRPC library and uploaded it (extracted) to the same location.

I then run the code (which is supposed to get a list of authors on site) with XML-RPC security tweak disabled. It responded, as expected, that the username and password is incorrect – which is fine because I didn’t provide any in the code. But it’s enough to confirm that XML-RPC is not protected.

So then I’ve eanbled XML-RPC security tweak on that site via Defender and run that code again and the response, again as expected, was “Error: XML-RPC services are disabled on this site”.

This is expected behavior. If your developers only checked if file is accessible and if it responds but didn’t really examine responses, it’s a test that should be done again to confirm. It’s also possible that there is some “glitch” that actually makes some kind of requests insecure and unprotected, hence my question for specific request(s) they made and specific resonse(s) to requests that they get.

Knowing about those could help further investigate the issue.

Best regards,
Adam