[wp-hackers] wp-trackbacks.php and SQL injection

steve caturan scaturan at negimaki.com
Mon Jul 24 19:00:54 GMT 2006


I see hundreds of /trackback/ and wp-comments-post.php POST requests
ever hour for the WordPress sites I host (have about ~210 or so) and
mod_security really helps immensely, and for the SPAM that does go
through, there's always Bad Behavior, Akismet and Spam Karma. like you
said, it's like a DDOS attack, none-stop across several hundred sites,
but that's reality. and being that someone responsible for those sites
mean, i have to ensure they're protected appropriately.

On 7/24/06, Ryan Boren <ryan at boren.nu> wrote:
> Stefano wrote:
> > My provider asked got a series of DDDOS attack and lot of theyr client
> > using WP gpot thpudsns of spam comments and resources get drawn by
> > this attack.
> >
> > It says look likes that the wp-trackbacks.php files is called lot of
> > time to tempt a SQL injections adn to make SPAM
> >
> > I really didin't made a deep search to find if the rpoblem is known
> > and related to an old WP version, just wondering if the problem is
> > known and if there is a solution already.
> >
> > It's clear that nothing can be done about the thousands calls, just
> > wondering if there is a leak about secyrity in this file in previous
> > oor actual version.
>
> There was a bug fixed at the beginning of 2005 where the tb_id wasn't
> being cast to an int.  That's the only one I recall.
>
> Ryan
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list