[wp-hackers] vuln

Scott Merrill skippy at skippy.net
Sun Aug 14 00:06:15 GMT 2005

perl and PHP code exists to automatically exploit vulnerable WP 
sites, allowing the attacker to (try to) execute code on the victim's 

The user agent used in the code I've reviewed is:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322)\r\n
which sucks, because that's a real user agent.  You could take the 
extreme position of rejecting all access from that user agent, but 
you'll exclude a lot of real visitors, too.

Likewise, the attack uses a plain ol' HTTP GET request, instead of POST, 
further complicating our defense strategies.

The code leverages wp_filter[query_vars].  Is there something specific 
that we can suggest _right now_ for people to do in their blog's code to 
help protect them?

Certainly `php_flag register_globals off` in .htaccess is one step; but 
I would really like to offer as complete a solution as possible: 
security in depth.

I want to construct a sticky forum post _officially_ responding to the 
issue, describing the problem, and providing as complete a solution as 
possible for users _right now_.


skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

More information about the wp-hackers mailing list