id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
4137	Pingback Denial of Service possibility	foobarwp12		"The pingback feature of Wordpress (2.1.3) allows DDOS attacks either against the server hosting wordpress or against a third one.

When a client sends a pingback, wordpress calls ""wp_remote_fopen"" to download the referring URL. On servers having ""allow_url_fopen"" activated, this function will try to download the /whole/ URL without any timeout or size limit. (except those set in php.ini, which will usually lead to a ~8MB download)

So if you post ~100 xmlrpc requests referring to a /huge/ file, every server meeting those prerequisites should effectively be down (for a while). You should at least be able to generate lots of traffic.

On the other hand, if you google for blogs and post the same URL to each of 'em, the target server should be DDOSed.

I suggest allowing pingbacks only if the connection was opened from the host mentioned in the source URL.

I'll attach a demo exploit (I didn't test it for the entered URL; it worked for a local installation.)"	defect (bug)	reviewing	low	Awaiting Review	Security	1.5	normal		needs-patch	josephscott bob.ellison@… info@… 24-7@… dh-shredder tom@… soficgr@… ian_dunn@… scribu kovshenin