[wp-hackers] New Security Vulnerability?

David Chait davebytes at comcast.net
Thu Mar 9 19:31:01 GMT 2006


Steve, you mind posting that as a reply on the sf website?

Also, seriously, isn't pretty much every script on every website is 
susceptible to some form, better or worse, of DoS attack?  Is there anything 
unique to WP here?  Wouldn't ANY hacker script that quickly, repeatedly 
opens up near-unlimited sockets to a website be a "DoS attack"?  Aside from 
the particular 'mechanics' of registering a user, why is this any 'more' of 
a DoS than anything else?

And I assume since mod_security can filter this, that any adaptive 
hardware/anti-DoS firewall should pick up on a single IP trying to open 
hundreds/thousands of connections to a particular box, right?

While we're at it, why is DoS being called a 'security vulnerability'?  It's 
a service, uptime vulnerability -- totally different class of issues, and 
not one the average joe should ever have to worry about (frankly, if someone 
wants to launch a DoS attack on an average joe's site, there isn't a single 
thing average joe can do about it -- it's up to the OS, drivers, hardware, 
firewalls, sysadmins, NOCs, etc.  Or at least that's my view of the world.

-d

----- Original Message ----- 
From: "steve caturan" <scaturan at negimaki.com>
To: <wp-hackers at lists.automattic.com>
Sent: Thursday, March 09, 2006 1:35 PM
Subject: Re: [wp-hackers] New Security Vulnerability?


| thanks for the heads up. now I have a mod_security ruleset for it.
|
| SecFilterSelective
| "THE_REQUEST" "wp-register.php"
| "id:1004,deny,log,status:412"
| #SecFilterRemove 1004
|
|
|
| Joey B wrote:
| > Someone in IRC came in and asked about this link:
| >
| > http://www.securityfocus.com/archive/1/427152/30/0/threaded
| >
| > Figured I'd post it here since I haven't seen anyone else do so yet.
| >
| > --
| > Joey Brooks
| > Milk Carton Designs || milkcartondesigns.com
| > _______________________________________________
| > wp-hackers mailing list
| > wp-hackers at lists.automattic.com
| > http://lists.automattic.com/mailman/listinfo/wp-hackers
| >
| >
| >
|
|
| _______________________________________________
| wp-hackers mailing list
| wp-hackers at lists.automattic.com
| http://lists.automattic.com/mailman/listinfo/wp-hackers
| 



More information about the wp-hackers mailing list