[wp-hackers] Plugin to stop wp-trackback DOS attack

Otto otto at ottodestruct.com
Wed Oct 21 15:37:03 UTC 2009


Hmm... While the trim does eliminate the issue, it seems to be
dependent upon which version of PHP you're using. When I tried it with
5.3, I get a null back instead of "array". It is conceivable (though
it would take a lot of testing) that some particular version of PHP,
or combination of extensions, could make a site vulnerable.

Essentially, it depends the behavior of trim. I has assumed that
passing trim an array would cause a warning (it does), and then
continue at the next code segment. In your case, it converts to the
string "array". In mine, I get a null value from it. However in both
cases, the $charset does get overwritten with that value.

Still, I don't think it's a great idea to rely on undocumented
behavior to prevent the issue here, but I do agree that it is not a
pressing problem.

-Otto



On Wed, Oct 21, 2009 at 10:26 AM, g30rg3_x <g30rg3x at gmail.com> wrote:
> Hi Otto,
>
> Thats the same i think after i see the patch by ryan...
> But after a more closer look i see that strtoupper() and trim()
> actually workaround/fix that issue when charset is and a array of
> charsets.
>
> A simple test script made to prove this point...
> $charset = array('UTF-8','UTF-8','UTF-8');
> $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
> var_dump($charset);
>
> And this script will just output the next text...
> string(5) "ARRAY"
>
> So as you can see, trim takes the array of charset (that in theory if
> happens to reach mb_convert_encoding as and array of charsets it will
> still be vulnerable to the dos attack) and work with it as and a
> string, in case that trim fails, strtoupper will also do the same and
> therefore it will convert the array() into a the string "array".
> More than be exploitable is just plain bug (with no exploitable issue)
> which as you say should be fixed with the proposed patch...
>
> Regards
>
> 2009/10/21 Otto <otto at ottodestruct.com>:
>> It fixes the exploit in particular, but not the underlying issue. A
>> trivial change to the exploit can still trigger it. To fix the problem
>> itself, there needs to be an additional change.
>>
>>
>> Make this:
>>
>> if ($charset)
>>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>> else
>>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>>
>>
>> into this:
>>
>> if ($charset && is_string($charset))
>>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>> else
>>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>>
>>
>> That will correct another vector for the same attack.
>>
>> -Otto
>>
>>
>>
>> On Tue, Oct 20, 2009 at 6:59 PM, Lynne Pope <lynne.pope at gmail.com> wrote:
>>> WordPress 2.8.5: Hardening Release http://j.mp/3gZDRS
>>>
>>> This should fix the new 0-day exploit.
>>>
>>> Lynne
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
>
>
> --
> /**
> CONFIDENTIALITY NOTICE: This message is intended to be viewed only by
> the listed recipient(s).
> It may contain information that is privileged, confidential and/or
> exempt from disclosure under applicable law.
> Any dissemination, distribution or copying of this message is strictly
> prohibited without our prior written permission.
> If you are not an intended recipient, or if you have received this
> communication in error, please notify us immediately by return e-mail
> and permanently remove the original message and any copies from your
> computer and all back-up systems.
> */
> _________________________
>             g30rg3_x
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list