[wp-trac] [WordPress Trac] #10980: DoS in wp-trackbacks
WordPress Trac
wp-trac at lists.automattic.com
Wed Oct 21 14:31:13 UTC 2009
#10980: DoS in wp-trackbacks
--------------------------+-------------------------------------------------
Reporter: gomex | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: high | Milestone:
Component: Security | Version:
Severity: critical | Resolution:
Keywords: |
--------------------------+-------------------------------------------------
Changes (by Otto42):
* priority: normal => high
* status: closed => reopened
* resolution: fixed =>
* severity: trivial => critical
Comment:
The patch in [12057] does not fix the problem. A trivial change to the
exploit would still trigger it, even in 2.8.5.
If the exploit were to send an array using the php brackets method, then
that array would not have commas or spaces in it, and the DOS attack would
still succeed.
Imagine I sent this POST to the trackback.php file:
charset[]='UTF-8'
charset[]='UTF-8'
charset[]='UTF-8'
... a few thousand more times ...
charset[]='UTF-8'
other_standard_stuff='whatever'
...
In this case, the contents of $_POST['charset'] would be an array. That
array would get a str_replace done on each element, but there wouldn't be
any commas or spaces in them. The array then gets passed on to
mb_convert_encoding, which triggers the underlying problem.
The underlying problem is that passing huge numbers of charsets to
mb_convert_encoding breaks the thing. I can still pass those huge numbers
using this manner.
There needs to be a check on the $_POST['charset'] to ensure that it's a
string and not an array.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10980#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list