[wp-trac] [WordPress Trac] #10980: DoS in wp-trackbacks

WordPress Trac wp-trac at lists.automattic.com
Wed Oct 21 14:31:13 UTC 2009


#10980: DoS in wp-trackbacks
--------------------------+-------------------------------------------------
 Reporter:  gomex         |        Owner:  ryan    
     Type:  defect (bug)  |       Status:  reopened
 Priority:  high          |    Milestone:          
Component:  Security      |      Version:          
 Severity:  critical      |   Resolution:          
 Keywords:                |  
--------------------------+-------------------------------------------------
Changes (by Otto42):

  * priority:  normal => high
  * status:  closed => reopened
  * resolution:  fixed =>
  * severity:  trivial => critical


Comment:

 The patch in [12057] does not fix the problem. A trivial change to the
 exploit would still trigger it, even in 2.8.5.

 If the exploit were to send an array using the php brackets method, then
 that array would not have commas or spaces in it, and the DOS attack would
 still succeed.

 Imagine I sent this POST to the trackback.php file:

 charset[]='UTF-8'
 charset[]='UTF-8'
 charset[]='UTF-8'
 ... a few thousand more times ...
 charset[]='UTF-8'
 other_standard_stuff='whatever'
 ...

 In this case, the contents of $_POST['charset'] would be an array. That
 array would get a str_replace done on each element, but there wouldn't be
 any commas or spaces in them. The array then gets passed on to
 mb_convert_encoding, which triggers the underlying problem.

 The underlying problem is that passing huge numbers of charsets to
 mb_convert_encoding breaks the thing. I can still pass those huge numbers
 using this manner.

 There needs to be a check on the $_POST['charset'] to ensure that it's a
 string and not an array.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10980#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list