[wp-testers] WordPress 2.0.1 Remote DoS Exploit?
Dougal Campbell
dougal at gunters.org
Fri Mar 10 15:55:51 GMT 2006
Craig wrote:
> So, you're saying this isn't a vulnerability?
> <runs and hides>
Call this DOS a "WordPress security vulnerability" is somewhat like
saying that your car can be denied service by dropping a dumptruck load
of dirt at the end of your driveway.
Consider this: any web service which collects information and stores it
in some way is vulnerable to this sort of "attack". That's pretty much
every forum site out there. And it's not much different than filling up
a system's hard disk by sending a zillion bogus emails.
As others have already pointed out, rate-limiting registrations by IP
number won't help when attackers switch to a distributed attack. And
besides, not many sites really *need* to have open registration. For
those that do, protection can be adding by plugins using the
user_register API hook. I wonder if the Akismet plugin could even be
brought into play here? That might be an interesting extension.
--
Dougal Campbell <dougal at gunters.org>
http://dougal.gunters.org/
More information about the wp-testers
mailing list