[wp-hackers] Plugin to stop wp-trackback DOS attack

g30rg3_x g30rg3x at gmail.com
Wed Oct 21 15:26:30 UTC 2009


Hi Otto,

Thats the same i think after i see the patch by ryan...
But after a more closer look i see that strtoupper() and trim()
actually workaround/fix that issue when charset is and a array of
charsets.

A simple test script made to prove this point...
$charset = array('UTF-8','UTF-8','UTF-8');
$charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
var_dump($charset);

And this script will just output the next text...
string(5) "ARRAY"

So as you can see, trim takes the array of charset (that in theory if
happens to reach mb_convert_encoding as and array of charsets it will
still be vulnerable to the dos attack) and work with it as and a
string, in case that trim fails, strtoupper will also do the same and
therefore it will convert the array() into a the string "array".
More than be exploitable is just plain bug (with no exploitable issue)
which as you say should be fixed with the proposed patch...

Regards

2009/10/21 Otto <otto at ottodestruct.com>:
> It fixes the exploit in particular, but not the underlying issue. A
> trivial change to the exploit can still trigger it. To fix the problem
> itself, there needs to be an additional change.
>
>
> Make this:
>
> if ($charset)
>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
> else
>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>
>
> into this:
>
> if ($charset && is_string($charset))
>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
> else
>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>
>
> That will correct another vector for the same attack.
>
> -Otto
>
>
>
> On Tue, Oct 20, 2009 at 6:59 PM, Lynne Pope <lynne.pope at gmail.com> wrote:
>> WordPress 2.8.5: Hardening Release http://j.mp/3gZDRS
>>
>> This should fix the new 0-day exploit.
>>
>> Lynne
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
/**
CONFIDENTIALITY NOTICE: This message is intended to be viewed only by
the listed recipient(s).
It may contain information that is privileged, confidential and/or
exempt from disclosure under applicable law.
Any dissemination, distribution or copying of this message is strictly
prohibited without our prior written permission.
If you are not an intended recipient, or if you have received this
communication in error, please notify us immediately by return e-mail
and permanently remove the original message and any copies from your
computer and all back-up systems.
*/
_________________________
             g30rg3_x


More information about the wp-hackers mailing list