You can read more about it here , is there any soln yet
New 0-Day WordPress Exploit (4 posts)
-
Anonymous
Posted 2 years ago # -
Jan Dembowski
Posted 2 years ago #(Sips more coffee, makes skeptical noises.)
That's not really a vulnerability in WordPress and here's why: any DoS attack is background noise. Harmful background noise if it's your server, but still background noise.
Anyone can write a script and knock down any single server. It's ~2 minutes of work to do if you type slowly. Apache2 comes with a great load tester that if you ramp up the threads and simultaneous requests, then BAM! unresponsive server.
Now a real vulnerability would be if flooding that WordPress file with info caused it to crash and execute arbitrary code that the attacker planned. Once an attacker can do that, you've got a real problem on your hands. The worm that went around hitting pre-2.8.4 code? Now that was a vulnerability.
-
nux
Posted 2 years ago #I just wanted to mention that the jarraltech.com post is plagiarized from http://www.stevefortuna.com/new-0-day-wordpress-exploit/
And I disagree. Some overlooked code in WordPress is the cause for being able to overload a server. While you may be able to flood the server with requests to slow it down/overload it, you can't call a function that actually uses up CPU and memory to overload it.
All it takes is a handful of requests to essentially shut down a server.
-
Posted 2 years ago #Well, it looks like it's about to be addressed in the trunk.
See http://core.trac.wordpress.org/ticket/10980 for more info.
Edit: also see http://core.trac.wordpress.org/changeset/12057
Topic Closed
This topic has been closed to new replies.
