skippy at skippy.net
Sun Aug 14 00:06:15 GMT 2005
perl and PHP code exists to automatically exploit vulnerable WP 188.8.131.52
sites, allowing the attacker to (try to) execute code on the victim's
The user agent used in the code I've reviewed is:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
which sucks, because that's a real user agent. You could take the
extreme position of rejecting all access from that user agent, but
you'll exclude a lot of real visitors, too.
Likewise, the attack uses a plain ol' HTTP GET request, instead of POST,
further complicating our defense strategies.
The code leverages wp_filter[query_vars]. Is there something specific
that we can suggest _right now_ for people to do in their blog's code to
help protect them?
Certainly `php_flag register_globals off` in .htaccess is one step; but
I would really like to offer as complete a solution as possible:
security in depth.
I want to construct a sticky forum post _officially_ responding to the
issue, describing the problem, and providing as complete a solution as
possible for users _right now_.
skippy at skippy.net | http://skippy.net/
gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49 3544 476A 7DEC 9CFA 4B35
More information about the wp-hackers