Comments on: Permalinks Migration Vulnerability

By: How to Update Your WordPress Permalinks Without Causing Link Rot — Kingdom Front

Sun, 04 May 2008 07:24:02 +0000

[...] below (e.g., going from name-based permalinks back to name and date-based permalinks), there is a WordPress plugin that can take care of you. If all you want to do is change from name and date-based permalinks to [...]

By: Permalink Structure Change

Permalink Structure Change — Wed, 30 Apr 2008 11:50:23 +0000

[...] Migration Plugin Version 1.0. However, it’s got a bug apparently so the fix is here in this Weblog Tools Collection post, or download here from g30rg3 Blog or from WordPress [...]

By: WordPress Weekly Episode 3 | Jeffro2pt0

WordPress Weekly Episode 3 | Jeffro2pt0 — Fri, 25 Apr 2008 08:04:42 +0000

[...] Dean’s Migration Plugin Vulnerability - According to an advisory released by Packetstorm, a fellow by the name of g30rg3_x has discovered two bugs within Dean’s Permalinks Migration Plugin version 1.0. The first bug relates to XSRF and can allow an attacker to force a user to perform an unsolicited action that when combined with an XSS bug that has also been discovered, allows the attacker to gain valid credentials. [...]

By: Permalinks Migration Plugin Vulnerability » JaypeeOnline // Blogging News & Reviews

Sun, 03 Feb 2008 12:22:25 +0000

[...] Collection, an article was posted earlier today regarding a vulnerability in version 1.0 of the Deans Permalinks Migration Plugin. The said vulnerability involves XSRF or Cross-site request forgery and allow the attacker to steal [...]

By: Connie

Connie — Sun, 03 Feb 2008 09:10:46 +0000

So where’s the link to the packetstorm advisory? I checked the list of January 2008 advisories and found nothing. I might have missed it — here’s the link for anyone who cares to check http://packetstormsecurity.org/0801-advisories/.

By: Rick Beckman

Rick Beckman — Fri, 25 Jan 2008 18:07:18 +0000

Ashish: You’ll likely need it for as long as websites have links to any of your old-style permalinks, unless you are okay with serving up a Content Not Found page to visitors from those older sources.

Search engines should eventually update. If you’re able, definitely keep a watch on your server access logs; over time, requests for old-style permalinks should become fewer. When they reach a level you’re happy with, you’ll be safe disabling the plugin.

If a few websites are consistently sending content to an older style permalink, it might be worth it to add a simple redirect in an .htaccess file, if you’re able, such as this:

Redirect /2006/04/01/some-old-post/ /some-old-post/

Adjust that accordingly, of course.

By: Ashish Mohta

Ashish Mohta — Fri, 25 Jan 2008 18:02:54 +0000

Do you need this plugin to be activated forever in the blog or you can just quit using it after some months when the migration is over

By: Rick Beckman

Rick Beckman — Fri, 25 Jan 2008 17:16:36 +0000

I wish I knew about this plugin before I spent hours coming up with an .htaccess solution! Dealing with the redirect at the server level is probably a bit faster and more secure anyway. There are certain permalink changes which won’t be able to be dealt with at the server level — such as going from plain name-based permalinks to something with more information, such as year/name-based.

By: Ted Clayton

Ted Clayton — Fri, 25 Jan 2008 16:24:21 +0000

Site working! Actually, I think I noticed the laborious install/activate-action, when installing Top Level Cats, and Redirection. Following those, I also activated Dean’s Permalinks, but I think noticed nothing.

By: Ted Clayton

Ted Clayton — Fri, 25 Jan 2008 15:14:31 +0000

I very recently installed this plugin, along with a number of other, and yesterday suddenly could not bring up my homepage at all. This morning, the page partially renders, then stops at the same place with an error message: “… exceeded the ‘max_questions’ resource … “.

I did notice some laborious action, while installing Dean’s and another Permalinks-related plugin. I have FTPed all my recently installed plugins out of /wp-content/plugins, will wait an hour for the ‘resource’ error to time out (correct?) and try my site again. Unless you guys know different, my understanding is we should leave my host alone so the error times out.

Will update. Any insight appreciated.

By: Tadd

Tadd — Fri, 25 Jan 2008 14:06:05 +0000

Ah, good catch … I better grab that change and replace the plug I installed!

Nothing like sql injections to make a day go bad.