I just installed a brand spanking new WPMU last night, set up the signup code on it, installed a few more plugins, and went to bed.
Woke up this morning and check my email to find that a spammer has signed up for a blog. I haven't given out the signup code to anyone. I can't sign up myself without a signup code, how did this person sign up?
Is there a way to verify what signup code they used on the signup form?
Going through my logs, I only see 1 signup attempt, and it was successful:
I just installed a brand spanking new WPMU last night, set up the signup code on it, installed a few more plugins, and went to bed.
Woke up this morning and check my email to find that a spammer has signed up for a blog. I haven't given out the signup code to anyone. I can't sign up myself without a signup code, how did this person sign up?
Is there a way to verify what signup code they used on the signup form?
Going through my logs, I only see 1 signup attempt, and it was successful:
Thanks for posting your log. I've honestly never been able to get someone to do it. I'm going to get this checked into as I've heard from 2 others that a spammer was able to bypass the code recently but you are the first to actually prove it with a log ;-).
I really wish I could see what the POST content was...
6593 pointsLike some sort of WPMU DEV GodExceptionally helpfulLifetime member
Keeper of the Dark Chocolate
—
10th June 2010 (1 year ago)
#
Thanks for posting your log. I've honestly never been able to get someone to do it
Actually this has been an ongoing issue for years. Every few months someone posts to the mu forums that they had a spammer register to their install even though registration is turned off. We ask they about their logs and what debugging they've done and 9 times out of 10, we get back a "huh?" and never hear back from them.
edit: Only thread I can find on the topic right off. There were many others:
Dr. Mike, I did a quick perusal of the wp-signup.php code and it is currently not possible to bypass the reg value in 3.0 via a bot, though I wouldn't be surprised if that was not the case a few versions back, would have to search the old trac. I think a lot of those threads may have been due to using multi-site plugins (like Ron's) and each site having a separate registration setting.
Responses (9)
Keeper of the Dark Chocolate — 10th June 2010 (1 year ago) #
Just to clarify, is buddypress installed? I know you said it;s a brand new wpmu install. Just want to make sure though.
Lead Developer — 10th June 2010 (1 year ago) #
Thanks for posting your log. I've honestly never been able to get someone to do it. I'm going to get this checked into as I've heard from 2 others that a spammer was able to bypass the code recently but you are the first to actually prove it with a log ;-).
I really wish I could see what the POST content was...
Member — 10th June 2010 (1 year ago) #
Buddypress is NOT installed.
Member — 10th June 2010 (1 year ago) #
Another one just signed up:
207.199.197.231 - - [10/Jun/2010:12:29:34 -0400] "GET /wp-signup.php HTTP/1.1" 200 6035 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
207.199.197.231 - - [10/Jun/2010:12:29:35 -0400] "POST /wp-signup.php HTTP/1.1" 200 5726 "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
207.199.197.231 - - [10/Jun/2010:12:33:33 -0400] "GET /wp-activate.php?key=43116a8682383597 HTTP/1.1" 200 3624 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
207.199.197.231 - - [10/Jun/2010:12:33:34 -0400] "POST /wp-activate.php HTTP/1.1" 200 3624 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
207.199.197.231 - - [10/Jun/2010:12:33:21 -0400] "GET /wp-activate.php?key=43116a8682383597 HTTP/1.1" 200 4519 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
207.199.197.231 - - [10/Jun/2010:12:38:42 -0400] "POST /maya9948091/wp-login.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
207.199.197.231 - - [10/Jun/2010:12:38:42 -0400] "GET /maya9948091/wp-admin/options-writing.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
69.61.101.173 - - [10/Jun/2010:12:38:43 -0400] "POST /wp-cron.php?doing_wp_cron HTTP/1.0" 200 - "-" "WordPress/2.9.2; http://maya9948091.*deleted*.com"
207.199.197.231 - - [10/Jun/2010:12:38:43 -0400] "POST /wp-login.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
207.199.197.231 - - [10/Jun/2010:12:38:44 -0400] "GET /wp-admin/options-writing.php HTTP/1.1" 200 15433 "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
207.199.197.231 - - [10/Jun/2010:12:38:46 -0400] "POST /wp-admin/options.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
Lead Developer — 10th June 2010 (1 year ago) #
Ok, looks like you've helped find a security vulnerability in core WPMU/WP3.0 Multisite! (well credit goes to the sploggers first...)
We have a temporary patch idea for this and will upload it probably by next week.
I am creating a trac ticket for this so we can get a permanent fix in core though, and will post a link to that if you want to know the details.
Member — 10th June 2010 (1 year ago) #
I'm running 2.9.2, so this affects that as well.
Lead Developer — 10th June 2010 (1 year ago) #
http://core.trac.wordpress.org/ticket/13827
3.0 seems to have the same vulnerability.
Keeper of the Dark Chocolate — 10th June 2010 (1 year ago) #
Actually this has been an ongoing issue for years. Every few months someone posts to the mu forums that they had a spammer register to their install even though registration is turned off. We ask they about their logs and what debugging they've done and 9 times out of 10, we get back a "huh?" and never hear back from them.
edit: Only thread I can find on the topic right off. There were many others:
http://mu.wordpress.org/forums/topic/17304
Lead Developer — 10th June 2010 (1 year ago) #
Dr. Mike, I did a quick perusal of the wp-signup.php code and it is currently not possible to bypass the reg value in 3.0 via a bot, though I wouldn't be surprised if that was not the case a few versions back, would have to search the old trac. I think a lot of those threads may have been due to using multi-site plugins (like Ron's) and each site having a separate registration setting.
Become a member