I was researching a bit into the wordpress trackback utility. This is how it works:
You submit a post with trackback urls, and when you publish the post, the wordpress sends out a request to the URL you mentioned in the trackback URLs. Essentially this happens in the background.
You—–> WordPress Server———->Trackback URL
The trackback request to the trackback URL is not made by your browser, but the request will be sent by your server hosting wordpress application. This was a bit surprising to me, as what if my wordpress hosting company does not allow outbound traffic? Anyways the request is nothing special , its a straight forward post request to the trackback URL with the following parameters.
I wrote a simple perl script which you can use to send fake trackback request. Although the request will go from your IP address, (unless you use some anonymous proxy) You can specify the Fake Url and other parameters which will appear to the victim’s wordpress. The Only solution i can think to avoid getting fake trackbacks is by having a check on the submitted url to see if it resolves to the same ip address. However, that might create some other problems.
However, I would be more interested in knowing if we can abuse it still further. At the moment i cant think of any more attack vectors to exploit this. As the connection to the trackback URL is made by wordpress server, can we not make it connect to a malicious host. Can we not make it connect to different ports on different hosts… blah.. blah blah... I look forward to hearing comments on this. BTW this blog is not just about hacking wordpress:)