[wp-hackers] Plugin to stop wp-trackback DOS attack
Otto
otto at ottodestruct.com
Wed Oct 21 14:41:12 UTC 2009
It fixes the exploit in particular, but not the underlying issue. A
trivial change to the exploit can still trigger it. To fix the problem
itself, there needs to be an additional change.
Make this:
if ($charset)
$charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
else
$charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
into this:
if ($charset && is_string($charset))
$charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
else
$charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
That will correct another vector for the same attack.
-Otto
On Tue, Oct 20, 2009 at 6:59 PM, Lynne Pope <lynne.pope at gmail.com> wrote:
> WordPress 2.8.5: Hardening Release http://j.mp/3gZDRS
>
> This should fix the new 0-day exploit.
>
> Lynne
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list