[wp-trac] [WordPress Trac] #11685: Search flood exploit

WordPress Trac wp-trac at lists.automattic.com
Tue Jan 5 23:08:35 UTC 2010

#11685: Search flood exploit
 Reporter:  scribu        |        Owner:  ryan   
     Type:  defect (bug)  |       Status:  closed 
 Priority:  normal        |    Milestone:         
Component:  Security      |      Version:         
 Severity:  normal        |   Resolution:  wontfix
 Keywords:                |  

Comment(by hakre):

 Replying to [comment:8 Viper007Bond]:
 > Replying to [comment:7 miqrogroove]:
 > > > To prevent this would require logging of page requests by IP
 > >
 > > Smaller websites often use captcha or full user registration, because
 they can be implemented at the script (i.e. plugin) level.
 > http://blog.com/foobar requires a search of the database to try and find
 a matching Page or post. You could easily just tag on random parameters
 and accomplish the same thing.
 If not that search does create a query that far more kicks your MySQL's
 butt much deeper than a permalink request (okay, depends on permalink
 design a bit as well, but that should be ignored here). To improve the
 exploit I would trigger salt-creation on the php side in parallel which
 will get on the current server nodes-cpu.

Ticket URL: <http://core.trac.wordpress.org/ticket/11685#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list