The MU forums have moved to WordPress.org

possible wpmu hack, where to report? (5 posts)

  1. redbox
    Member
    Posted 17 years ago #

    This morning someone signed up a splog, but there isn't a user account with it. The user and email fields are blank. I checked the database and have the IP address of the user, but there isn't a name or email address anywhere.

    I checked my logs and can see where the person used an external form to create the account which I'm assuming is a hack into the WPMU system. They didn't even have to activate it. I have the url of the form that was used.

    I'm not familiar with the trac system, and don't know if I should post the specifics (url to hack form) there since it is probably sensitive information that should not be viewed by the general public. Is there someone I should email with this info?

  2. theapparatus
    Member
    Posted 17 years ago #

    Email address for security issues is security at wordpress dot org. Please do not post it to trac.

    Please be sure to include the specific information out of the debugging page as mentioned within the readme file. (ie specific version number, log data, etc.)

  3. redbox
    Member
    Posted 17 years ago #

    Thanks!

  4. JuanManuel
    Member
    Posted 17 years ago #

    I got one too with no username.

  5. redbox
    Member
    Posted 17 years ago #

    I received a reply, he said the problem was reported a couple of days ago and they've resolved it. If you don't want to wait for the new release, you can fix it now like this:

    look for the function
    "validate_another_blog_signup()" in wp-signup.php
    At the start of that function add these lines:
    if( !is_user_logged_in() ) {
           die();
    }

About this Topic