[wp-trac] [WordPress Trac] #24647: WordPress login page falls into HTTP 406 Not Acceptable error after a few clicks (was: Wordpress login page falls into HTTP 406 Not Acceptable error after a few clicks)

WordPress Trac noreply at wordpress.org
Wed Jun 26 17:14:00 UTC 2013 

#24647: WordPress login page falls into HTTP 406 Not Acceptable  error after a few
clicks
--------------------------+------------------------------
 Reporter:  Ricardo2013   |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:  3.5.2
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |
--------------------------+------------------------------
Description changed by SergeyBiryukov:

Old description:

> At first I thought this was just my own site, but then I tested a dummy
> site within the same web hosting account and finally a random wordpress
> site on the web.
>
> This problem is very easy to reproduce. Simply go to wp-login.php and
> instead of logging in, click on the register link or on the "Lost your
> password?" link and the quickly press the back button to return to the
> login page. Repeat going to the register or lost password pages and
> returning to the login page several times, until you get the
>
> HTTP 406 Not Acceptable error
>
> This cripples the login mechanism for a few minutes at least. Excellent
> for a denial of service attack using only one computer.

New description:

 At first I thought this was just my own site, but then I tested a dummy
 site within the same web hosting account and finally a random !WordPress
 site on the web.

 This problem is very easy to reproduce. Simply go to wp-login.php and
 instead of logging in, click on the register link or on the "Lost your
 password?" link and the quickly press the back button to return to the
 login page. Repeat going to the register or lost password pages and
 returning to the login page several times, until you get the

 HTTP 406 Not Acceptable error

 This cripples the login mechanism for a few minutes at least. Excellent
 for a denial of service attack using only one computer.

--

--
Ticket URL: <http://core.trac.wordpress.org/ticket/24647#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list