[wp-hackers] New Security Vulnerability?

[Owen Winkler]

David Chait wrote:
> Nicely whipped-up.
> 
> Of course, it sends an email and updates two options in the database every 
> attempt (which I assume is only one write, but still...) -- that's about the 
> same as a new registration, though minus the 'cost' of the explosion in the 
> user table size. ;)

Perhaps, except those are two different code paths.  Emails should only 
be sent in the case of detected login hacking, not in the case of 
multiple registrations.

If the update_options() was stuffed into an additional else{} it could 
eliminate database writes on failed registration attempts inside the 
delay period.

Something more effective would report the IP to some firewall 
configuration automation system.

> Of course, if done as distributed DoS, it would populate the options table 
> with a ton of extra/dead data, probably then an equal or worse case... ;)
> 
> Again, my assumption is if you took the sample script, and changed it to hit 
> pretty much any PHP page, certainly anything with a database read, or write, 
> it'd probably take down 50% of the machines on resources alone.  The email 
> definitely just adds to the fire. :)

Well, like I said, the email only happens on login hacking attempts, 
certainly not at any generically-aimed request.  This isn't a serious 
attempt at "fixing" security issues, just a casual one for the lazy blog 
admin.  ;)

Like you said, though, if a distributed DoS targetted any common 
unprotected blog, it would take it down pretty easily.  Blog software is 
simply not geared for handing such a scenario, which is better done at 
the router/firewall level.

Owen