Permalinks Migration Vulnerability

Comments

1. Tadd (89 comments.) says:

   1/25/2008 at 10:06 am

   Ah, good catch … I better grab that change and replace the plug I installed!

   Nothing like sql injections to make a day go bad.
2. Ted Clayton (31 comments.) says:

   1/25/2008 at 11:14 am

   I very recently installed this plugin, along with a number of other, and yesterday suddenly could not bring up my homepage at all. This morning, the page partially renders, then stops at the same place with an error message: “… exceeded the ‘max_questions’ resource … “.

   I did notice some laborious action, while installing Dean’s and another Permalinks-related plugin. I have FTPed all my recently installed plugins out of /wp-content/plugins, will wait an hour for the ‘resource’ error to time out (correct?) and try my site again. Unless you guys know different, my understanding is we should leave my host alone so the error times out.

   Will update. Any insight appreciated.
3. Ted Clayton (31 comments.) says:

   1/25/2008 at 12:24 pm

   Site working! Actually, I think I noticed the laborious install/activate-action, when installing Top Level Cats, and Redirection. Following those, I also activated Dean’s Permalinks, but I think noticed nothing.
4. Rick Beckman (15 comments.) says:

   1/25/2008 at 1:16 pm

   I wish I knew about this plugin before I spent hours coming up with an .htaccess solution! Dealing with the redirect at the server level is probably a bit faster and more secure anyway. There are certain permalink changes which won’t be able to be dealt with at the server level — such as going from plain name-based permalinks to something with more information, such as year/name-based.
5. Ashish Mohta says:

   1/25/2008 at 2:02 pm

   Do you need this plugin to be activated forever in the blog or you can just quit using it after some months when the migration is over
6. Rick Beckman (15 comments.) says:

   1/25/2008 at 2:07 pm

   Ashish: You’ll likely need it for as long as websites have links to any of your old-style permalinks, unless you are okay with serving up a Content Not Found page to visitors from those older sources.

   Search engines should eventually update. If you’re able, definitely keep a watch on your server access logs; over time, requests for old-style permalinks should become fewer. When they reach a level you’re happy with, you’ll be safe disabling the plugin.

   If a few websites are consistently sending content to an older style permalink, it might be worth it to add a simple redirect in an .htaccess file, if you’re able, such as this:

   Redirect /2006/04/01/some-old-post/ /some-old-post/

   Adjust that accordingly, of course.
7. Connie (3 comments.) says:

   2/3/2008 at 5:10 am

   So where’s the link to the packetstorm advisory? I checked the list of January 2008 advisories and found nothing. I might have missed it — here’s the link for anyone who cares to check http://packetstormsecurity.org/0801-advisories/.
8. Harsh Agrawal (12 comments.) says:

   9/2/2009 at 1:58 am

   I think the latest one fixed the problem..is int it??
9. Joost says:

   8/4/2012 at 3:59 am

   Can you please upload it again? The link doesnt work. Thanks. Or please send it to me, as i entered my e-mail.

Trackbacks/Pingbacks

1. Permalinks Migration Plugin Vulnerability » JaypeeOnline // Blogging News & Reviews says:

   2/3/2008 at 8:22 am

   […] Collection, an article was posted earlier today regarding a vulnerability in version 1.0 of the Deans Permalinks Migration Plugin. The said vulnerability involves XSRF or Cross-site request forgery and allow the attacker to steal […]
2. WordPress Weekly Episode 3 | Jeffro2pt0 says:

   4/25/2008 at 4:04 am

   […] Dean’s Migration Plugin Vulnerability – According to an advisory released by Packetstorm, a fellow by the name of g30rg3_x has discovered two bugs within Dean’s Permalinks Migration Plugin version 1.0. The first bug relates to XSRF and can allow an attacker to force a user to perform an unsolicited action that when combined with an XSS bug that has also been discovered, allows the attacker to gain valid credentials. […]
3. Permalink Structure Change says:

   4/30/2008 at 7:50 am

   […] Migration Plugin Version 1.0. However, it’s got a bug apparently so the fix is here in this Weblog Tools Collection post, or download here from g30rg3 Blog or from WordPress […]
4. How to Update Your WordPress Permalinks Without Causing Link Rot — Kingdom Front says:

   5/4/2008 at 3:24 am

   […] below (e.g., going from name-based permalinks back to name and date-based permalinks), there is a WordPress plugin that can take care of you. If all you want to do is change from name and date-based permalinks to […]