[wp-hackers] Security
Hal Burgiss
hal at burgiss.net
Mon Sep 7 13:05:18 UTC 2009
On Sun, Sep 06, 2009 at 05:48:24PM +0200, Thomas Scholz wrote:
> The main problem was: Registered users without any privileges could just
> add double slashes (//) into an URL to get some admin privileges (install
> plugins, mess up the database etc.).
>
> So you have to forbid double slashes in all URLs. The .htaccess way would
> be:
>
> RewriteEngine On
> RewriteBase /
> RewriteCond %{THE_REQUEST} ^[A-Z]+\ /(([^/\ ]+/)*)/+([^\ ]*)
> RewriteRule ^ /%1%3 [L,R=301]
Thanks Thomas! Very helpful.
--
Hal
More information about the wp-hackers
mailing list