[wp-hackers] New Security Vulnerability?

Roy Schestowitz r at schestowitz.com
Fri Mar 10 04:14:21 GMT 2006

___/ On Thu 09 Mar 2006 18:35:33 GMT, [ Doug Stewart ] wrote : \___

> Joey B wrote:
>> Someone in IRC came in and asked about this link:
>> http://www.securityfocus.com/archive/1/427152/30/0/threaded
>> Figured I'd post it here since I haven't seen anyone else do so yet.
> They're basically trying to execute a DoS based upon repeated 
> registration attempts.  If we were to start implementing a wait time 
> on registrations coming from a single IP, it would likely ameliorate 
> this 'exploit'.

In that case, a different entry URL could be targetted. Such things are

,----[ Snippet ]
| 2) "Compromise by an extended Brute Force attack is not a CVE
| vulnerability."  (Brute Force Exception)
| [...]
| 3) "A denial of service in a client that is easy to recover from, is
| not a CVE vulnerability." (Client-Side Denial of Service Exception)

Source: http://www.cve.mitre.org/board/archives/1999-07/msg00146.html

While on the subject, 'fresh' from the press:

,----[ Snippet ]
| Or the bot-infected computers are used to launch DoS attacks - now running
| at 1,402 a day - as part of extortion attempts. Phishing attempts are
| approaching eight million a day.

Source: http://news.bbc.co.uk/1/hi/technology/4787474.stm

The only way to end this is to stop use of an operating system which is so
easy to hijack due to its flawed RPC model. My site's WordPress
installation has been attacked ~1500 times a day (on a daily basis) since
September 2005. Windows boxes from all over the world.

More information about the wp-hackers mailing list