there are 2 quick fixes for this until its patched. unfortunately sharing them makes them public, which runs the risk of them not working, so im hesitant to share.
Ive attempted to exploit my own blog doing this, heres some tips, and my own results are below the tips:
1. the script depends on the other person knowing your db prefix (it defaults to wp_) So, using a another prefix, while not foolproof (there are ways to cause mysql errors that will reveal your db prefix,)x, is “better” than using the defualt one.
that prefix, btw, is set inside wp-config.php before you install.
2. That script relies on the name of your users table being being ‘users’, specifically the prefix used in #1 followed by users, ie, wp_users It follows, then, that using another table name (not users) is another way to ‘hang up’ attmepts
Again, its possible to cause mysql to spit out an error that would reveal that info, BUT its more work.
That table name mentioened in #2 is defined in wp-settings.php
3. That script depends on the name of your trackback file being wp-trackback.php
4. That script sends NO referer, and NO user-agent.
—
Fwiw, attmepting to exploit my own blog, editing out the default values and making sure they matched my own set up, resulted in a failed script (the script ran, no data was returned). I am not saying it doesnt work, just that I couldnt get it to (even knowing all of the pertinent information).
Ive made 3 changes to my own blog, and 1 small change to another file I use that prevents it from working completely on my own site. It wont even run ??
Of course, I’ve also *always* supressed ALL mysql errors. And this speaks to why sometimes thats a good idea, if you know what youre doing.
