[wp-trac] [WordPress Trac] #13827: Security Vulnerabilities In wp-signup.php Breaking Plugins (was: Spam Security Vulnerabilities in wp-signup.php w/MultiSite)
WordPress Trac
wp-trac at lists.automattic.com
Thu Jun 10 20:07:08 UTC 2010
#13827: Security Vulnerabilities In wp-signup.php Breaking Plugins
--------------------------+-------------------------------------------------
Reporter: uglyrobot | Owner: wpmuguru
Type: defect (bug) | Status: reviewing
Priority: high | Milestone:
Component: Multisite | Version: 3.0
Severity: critical | Resolution:
Keywords: needs-patch |
--------------------------+-------------------------------------------------
Changes (by uglyrobot):
* owner: => wpmuguru
* status: reopened => reviewing
Comment:
For example, say I wanted to create a basic recaptcha plugin (there's a
handful out there that are broken by this) to stop bots from creating
users or blogs. Due to this hidden vulnerability which spammers have
recently discovered and are exploiting, the only way to do this would be
to force the person signing up to fill out 2 captchas in a row. Basically
an ugly hack to try and cover up a core vulnerability.
This is not limited to just anti-spam plugins though, but affects a great
many others out there like Terms of Service, password on signup, etc.
This bug affects the current majority of Multi-Site users and surely
should be priority enough for a 3.0.1 release.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13827#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list