[wp-hackers] Security

Hal Burgiss hal at burgiss.net
Mon Sep 7 13:05:18 UTC 2009


On Sun, Sep 06, 2009 at 05:48:24PM +0200, Thomas Scholz wrote:
> The main problem was: Registered users without any privileges could just  
> add double slashes (//) into an URL to get some admin privileges (install  
> plugins, mess up the database etc.).
> 
> So you have to forbid double slashes in all URLs. The .htaccess way would  
> be:
> 
> RewriteEngine On
> RewriteBase /
> RewriteCond %{THE_REQUEST} ^[A-Z]+\ /(([^/\ ]+/)*)/+([^\ ]*)
> RewriteRule ^ /%1%3 [L,R=301]

Thanks Thomas! Very helpful.

-- 
Hal


More information about the wp-hackers mailing list