My understanding of script-kiddie attacks is that they just attempt to drop their payload, using every possible vector, across a range of IP addresses. In other words: they're indiscriminate, and usually not smart enough to test for vulnerabilities before attempting to drop their payload.<div>
<br></div><div>(It's the same reason that exposing - or not exposing - the WordPress version has zero real impact on site security.)</div><div><br></div><div>Chip<br><br><div class="gmail_quote">On Sat, Dec 24, 2011 at 9:36 AM, Rankin, Matthew W. (Student) <span dir="ltr"><<a href="mailto:mrankin@my.ccsu.edu">mrankin@my.ccsu.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">Directly the code isn't a security issue, but I've heard that there are bots out there that check the comments.php file for this code. If the bot finds this code it then begins
to try other attacks. So, while not directly a security issue it does attract spam and other ( possibly more damaging ) attacks.
<br>
<br>
Also, the code you posted really isn't needed. So, with the code not being needed, and it possibly opening a site to other attacks, I'd say that it should not be included in themes.<br>
<div style="font-family:Times New Roman;color:rgb(0,0,0);font-size:16px">
<hr>
<div style="direction:ltr"><font face="Tahoma" color="#000000"><b>From:</b> <a href="mailto:theme-reviewers-bounces@lists.wordpress.org" target="_blank">theme-reviewers-bounces@lists.wordpress.org</a> [<a href="mailto:theme-reviewers-bounces@lists.wordpress.org" target="_blank">theme-reviewers-bounces@lists.wordpress.org</a>] on behalf of Chip Bennett [<a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a>]<br>
<b>Sent:</b> Saturday, December 24, 2011 8:53 AM<br>
<b>To:</b> [theme-reviewers]<br>
<b>Subject:</b> [theme-reviewers] $_SERVER data<br>
</font><br>
</div><div><div class="h5">
<div></div>
<div>Lately, I've been seeing quite a few review comments indicating to remove this code, due to security issues:
<div><br>
</div>
<div>
<blockquote style="margin:0pt 0pt 0pt 40px;border:medium none;padding:0px">
<div>
<p style="font-family:Verdana,Arial,'Bitstream Vera Sans',Helvetica,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
if ( !empty( $_SERVER<a href="http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME" rel="nofollow" style="text-decoration:none;color:rgb(153,153,136);border-bottom:1px dotted rgb(187,187,187)" target="_blank">SCRIPT_FILENAME?</a> )
&& 'comments.php' == basename( $_SERVER<a href="http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME" rel="nofollow" style="text-decoration:none;color:rgb(153,153,136);border-bottom:1px dotted rgb(187,187,187)" target="_blank">SCRIPT_FILENAME?</a> )
)<br>
</p>
<blockquote style="font-family:Verdana,Arial,'Bitstream Vera Sans',Helvetica,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<p>die ( 'Please do not load this page directly. Thanks!' );</p>
</blockquote>
</div>
</blockquote>
</div>
<div><br>
</div>
<div>I don't believe that $_SERVER data used in this manner (i.e. as a conditional query, with no data being saved to the DB or output) is a security risk. What are your thoughts?</div>
<div><br>
</div>
<div>Chip</div>
</div>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>