[wp-hackers] JavaScript related functionality failure on some admin pages. 3.5.1

Otto otto at ottodestruct.com
Tue Feb 26 23:25:42 UTC 2013


On Tue, Feb 26, 2013 at 4:55 PM, Haluk Karamete <halukkaramete at gmail.com> wrote:
> I remember that we had configured the querystring allowed max length on our
> IIS server quiet some time ago. So whenever the querystring is too long,
> the attacker simply gets a 404.
> ...
> 532 chars.
>
> Do you guys plan to shorten this somehow in the future?

_print_scripts does not currently have a way to split these, but it is possible.

However, 532 is not a particularly long query string. Information I
can find suggests that a realistic limit for the total URL length
would be 2k, because IE has problems with URLs longer than 2048
characters. If you want to be safe, 1024 characters would be max.

IIS's default URL limit is 16,384 characters.

-Otto


More information about the wp-hackers mailing list