[wp-trac] Re: [WordPress Trac] #4137: Pingback Denial of Service
possibility
WordPress Trac
wp-trac at lists.automattic.com
Tue Jul 3 08:46:23 GMT 2007
#4137: Pingback Denial of Service possibility
-------------------------------------+--------------------------------------
Reporter: foobarwp12 | Owner: pishmishy
Type: defect | Status: assigned
Priority: high | Milestone: 2.3 (trunk)
Component: Security | Version: 2.1.3
Severity: normal | Resolution:
Keywords: xmlrpc ddos possibility |
-------------------------------------+--------------------------------------
Changes (by pishmishy):
* owner: => pishmishy
* status: new => assigned
* summary: Pingback DDOS possibility => Pingback Denial of Service
possibility
Comment:
Replying to [ticket:4137 foobarwp12]:
> I suggest allowing pingbacks only if the connection was opened from the
host mentioned in the source URL.
This is a tricky one. I think this suggestion will break for URLs where
the host name is an alias for another host as the URL's hostname might be
completely different to the hostname of the system where the pingback
request comes from.
Setting a limit the size of the download wouldn't completely remove the
amplification effect (the limit would have to be less than the size of the
xmlrpc request) but it is what the Pingback specification recommends.
I've changed the name of this ticket - there is the potential for a
distributed denial of service here but the real issue is the amplification
in bandwidth leading to a traditional denial of service attack.
--
Ticket URL: <http://trac.wordpress.org/ticket/4137#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list