[wp-testers] WordPress 2.0.1 Remote DoS Exploit?

Dougal Campbell dougal at gunters.org
Fri Mar 10 15:55:51 GMT 2006


Craig wrote:
> So, you're saying this isn't a vulnerability?
> <runs and hides>

Call this DOS a "WordPress security vulnerability" is somewhat like 
saying that your car can be denied service by dropping a dumptruck load 
of dirt at the end of your driveway.

Consider this: any web service which collects information and stores it 
in some way is vulnerable to this sort of "attack". That's pretty much 
every forum site out there. And it's not much different than filling up 
a system's hard disk by sending a zillion bogus emails.

As others have already pointed out, rate-limiting registrations by IP 
number won't help when attackers switch to a distributed attack. And 
besides, not many sites really *need* to have open registration. For 
those that do, protection can be adding by plugins using the 
user_register API hook. I wonder if the Akismet plugin could even be 
brought into play here? That might be an interesting extension.

-- 
Dougal Campbell <dougal at gunters.org>
http://dougal.gunters.org/



More information about the wp-testers mailing list