[wp-testers] WordPress 2.0.1 Remote DoS Exploit?
Paolo Gabrielli
paolo.gabrielli at gmail.com
Fri Mar 10 16:41:59 GMT 2006
On 3/10/06, Dougal Campbell <dougal at gunters.org> wrote:
> Craig wrote:
> > So, you're saying this isn't a vulnerability?
> > <runs and hides>
>
> Call this DOS a "WordPress security vulnerability" is somewhat like
> saying that your car can be denied service by dropping a dumptruck load
> of dirt at the end of your driveway.
>
> Consider this: any web service which collects information and stores it
> in some way is vulnerable to this sort of "attack". That's pretty much
> every forum site out there. And it's not much different than filling up
> a system's hard disk by sending a zillion bogus emails.
>
> As others have already pointed out, rate-limiting registrations by IP
> number won't help when attackers switch to a distributed attack. And
> besides, not many sites really *need* to have open registration. For
> those that do, protection can be adding by plugins using the
> user_register API hook. I wonder if the Akismet plugin could even be
> brought into play here? That might be an interesting extension.
What about a simple captcha?
[http://en.wikipedia.org/wiki/Captcha]
Bye,
P.
More information about the wp-testers
mailing list