[wp-hackers] Plugin to stop wp-trackback DOS attack

g30rg3_x g30rg3x at gmail.com
Wed Oct 21 16:09:33 UTC 2009


m using php 5.2.6...
And it only notices about the implicit conversion if obviously notices
are turned on.
I do believe that it should be patch with the your proposal, cause the
script is actually expecting a string not and array...

Regards

2009/10/21 Otto <otto at ottodestruct.com>:
> Hmm... While the trim does eliminate the issue, it seems to be
> dependent upon which version of PHP you're using. When I tried it with
> 5.3, I get a null back instead of "array". It is conceivable (though
> it would take a lot of testing) that some particular version of PHP,
> or combination of extensions, could make a site vulnerable.
>
> Essentially, it depends the behavior of trim. I has assumed that
> passing trim an array would cause a warning (it does), and then
> continue at the next code segment. In your case, it converts to the
> string "array". In mine, I get a null value from it. However in both
> cases, the $charset does get overwritten with that value.
>
> Still, I don't think it's a great idea to rely on undocumented
> behavior to prevent the issue here, but I do agree that it is not a
> pressing problem.
>
> -Otto
>
>
>
> On Wed, Oct 21, 2009 at 10:26 AM, g30rg3_x <g30rg3x at gmail.com> wrote:
>> Hi Otto,
>>
>> Thats the same i think after i see the patch by ryan...
>> But after a more closer look i see that strtoupper() and trim()
>> actually workaround/fix that issue when charset is and a array of
>> charsets.
>>
>> A simple test script made to prove this point...
>> $charset = array('UTF-8','UTF-8','UTF-8');
>> $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>> var_dump($charset);
>>
>> And this script will just output the next text...
>> string(5) "ARRAY"
>>
>> So as you can see, trim takes the array of charset (that in theory if
>> happens to reach mb_convert_encoding as and array of charsets it will
>> still be vulnerable to the dos attack) and work with it as and a
>> string, in case that trim fails, strtoupper will also do the same and
>> therefore it will convert the array() into a the string "array".
>> More than be exploitable is just plain bug (with no exploitable issue)
>> which as you say should be fixed with the proposed patch...
>>
>> Regards
>>
>> 2009/10/21 Otto <otto at ottodestruct.com>:
>>> It fixes the exploit in particular, but not the underlying issue. A
>>> trivial change to the exploit can still trigger it. To fix the problem
>>> itself, there needs to be an additional change.
>>>
>>>
>>> Make this:
>>>
>>> if ($charset)
>>>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>>> else
>>>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>>>
>>>
>>> into this:
>>>
>>> if ($charset && is_string($charset))
>>>        $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
>>> else
>>>        $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
>>>
>>>
>>> That will correct another vector for the same attack.
>>>
>>> -Otto
>>>
>>>
>>>
>>> On Tue, Oct 20, 2009 at 6:59 PM, Lynne Pope <lynne.pope at gmail.com> wrote:
>>>> WordPress 2.8.5: Hardening Release http://j.mp/3gZDRS
>>>>
>>>> This should fix the new 0-day exploit.
>>>>
>>>> Lynne
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>
>>
>>
>> --
>> /**
>> CONFIDENTIALITY NOTICE: This message is intended to be viewed only by
>> the listed recipient(s).
>> It may contain information that is privileged, confidential and/or
>> exempt from disclosure under applicable law.
>> Any dissemination, distribution or copying of this message is strictly
>> prohibited without our prior written permission.
>> If you are not an intended recipient, or if you have received this
>> communication in error, please notify us immediately by return e-mail
>> and permanently remove the original message and any copies from your
>> computer and all back-up systems.
>> */
>> _________________________
>>             g30rg3_x
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



--
_________________________
             g30rg3_x


More information about the wp-hackers mailing list