[wp-hackers] wp-trackbacks.php and SQL injection

Ryan Boren ryan at boren.nu
Mon Jul 24 17:51:48 GMT 2006

Stefano wrote:
> My provider asked got a series of DDDOS attack and lot of theyr client
> using WP gpot thpudsns of spam comments and resources get drawn by
> this attack.
> It says look likes that the wp-trackbacks.php files is called lot of
> time to tempt a SQL injections adn to make SPAM
> I really didin't made a deep search to find if the rpoblem is known
> and related to an old WP version, just wondering if the problem is
> known and if there is a solution already.
> It's clear that nothing can be done about the thousands calls, just
> wondering if there is a leak about secyrity in this file in previous
> oor actual version.

There was a bug fixed at the beginning of 2005 where the tb_id wasn't 
being cast to an int.  That's the only one I recall.


More information about the wp-hackers mailing list