[wp-testers] WordPress 2.0.1 Remote DoS Exploit?
steve caturan
scaturan at negimaki.com
Fri Mar 10 16:48:45 GMT 2006
i think a plugin to enable/disable Captcha for wp-register.php would be
a good deterrent. is that feasible or will that require a major tweak in
core?
Paolo Gabrielli wrote:
> On 3/10/06, Dougal Campbell <dougal at gunters.org> wrote:
>> Craig wrote:
>>> So, you're saying this isn't a vulnerability?
>>> <runs and hides>
>> Call this DOS a "WordPress security vulnerability" is somewhat like
>> saying that your car can be denied service by dropping a dumptruck load
>> of dirt at the end of your driveway.
>>
>> Consider this: any web service which collects information and stores it
>> in some way is vulnerable to this sort of "attack". That's pretty much
>> every forum site out there. And it's not much different than filling up
>> a system's hard disk by sending a zillion bogus emails.
>>
>> As others have already pointed out, rate-limiting registrations by IP
>> number won't help when attackers switch to a distributed attack. And
>> besides, not many sites really *need* to have open registration. For
>> those that do, protection can be adding by plugins using the
>> user_register API hook. I wonder if the Akismet plugin could even be
>> brought into play here? That might be an interesting extension.
>
> What about a simple captcha?
> [http://en.wikipedia.org/wiki/Captcha]
>
> Bye,
> P.
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>
>
>
More information about the wp-testers
mailing list