redbox
Member
Posted 17 years ago #
This morning someone signed up a splog, but there isn't a user account with it. The user and email fields are blank. I checked the database and have the IP address of the user, but there isn't a name or email address anywhere.
I checked my logs and can see where the person used an external form to create the account which I'm assuming is a hack into the WPMU system. They didn't even have to activate it. I have the url of the form that was used.
I'm not familiar with the trac system, and don't know if I should post the specifics (url to hack form) there since it is probably sensitive information that should not be viewed by the general public. Is there someone I should email with this info?
Email address for security issues is security at wordpress dot org. Please do not post it to trac.
Please be sure to include the specific information out of the debugging page as mentioned within the readme file. (ie specific version number, log data, etc.)
redbox
Member
Posted 17 years ago #
JuanManuel
Member
Posted 17 years ago #
I got one too with no username.
redbox
Member
Posted 17 years ago #
I received a reply, he said the problem was reported a couple of days ago and they've resolved it. If you don't want to wait for the new release, you can fix it now like this:
look for the function
"validate_another_blog_signup()" in wp-signup.php
At the start of that function add these lines:
if( !is_user_logged_in() ) {
die();
}