Full Disclosure mailing list archives
Re: Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure
From: "Zerial." <fernando () zerial org>
Date: Thu, 26 May 2011 09:02:10 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Veronica, Also you can "enumerate" wordpress users using the wp-login.php. When you enter a non-existent user wordpress returns "Invalid username" and when you enter a valid user with any random/dummie password, wordpress returns "Invalid Password". Now you can use brute-force to enumerate all valid users using, for example, a name&username dictionary. Try using https://wordpress.com/wp-login.php Is a bug? Is a vulnerability? Is a feature? Cheers, Zerial http://blog.zerial.org On 05/26/11 00:46, Veronica wrote:
----------------------------------------------------------------------- Talsoft S.R.L. Security Advisory WordPress User IDs and User Names Disclosure ----------------------------------------------------------------------- I. Advisory information Title: WordPress User IDs and User Names Disclosure Advisory Id: TALSOFT-2011-0526 Advisory URL: http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure Date published: 2011-05-26 Vendors contacted: WordPress Author: Verónica Valeros II. Vulnerability information Class: Insecure Direct Object References (CWE-715) Impact: Low Remotely Exploitable: Yes Locally Exploitable: Yes III. Overview WordPress platforms use a parameter called ‘author’. This parameter accepts integer values and represents the ‘User ID’ of users in the web site. For example: http://www.example.com/?author=1 The problems found are: 1. User ID values are generated consecutively. 2. When a valid User ID is found, WordPress redirects to a web page with the name of the author. These problems trigger the following attack vectors: 1. The query response discloses whether the User ID is enabled. 2. The query response leaks (by redirection) the User Name corresponding with that User ID. (See update for version 3.1.3) User IDs can be disabled, leaving holes within the consecutive numbers. Therefore, when an invalid User ID is sent, no redirection is done and no information is disclosed. Also, the attack can be automated, sending multiple queries to extract valid User Names and User IDs from the vulnerable web sites. Update: In version 3.1.3 the redirection explained in the second attack vector is not done, but is still possible to find the User Name in the source code. Therefore, this version is still vulnerable. IV. Affected versions This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2. Other versions were not tested and may be vulnerable. V. Non affected versions Unknown. VI. Proof of concept A Proof of Concept (PoC) is available at: wp-userdata-disclosure-PoC.py.tar.gz <http://www.talsoft.com.ar/weblog/wp-content/uploads/2011/05/wp-userdata-disclosure-PoC.py_.tar.gz> VII. Solution WordPress version 3.1.3 fixes the redirection problem, but user names are still been disclosed in the HTML code. No solution was provided for this last problem. VIII. Disclosure timeline + 2011-03-14: - Vulnerability was identified. + 2011-05-11: - WordPress security team was contacted. + 2011-05-12: - WordPress confirmed the vulnerability. + 2011-05-25: - WordPress released version 3.1.3, which included a fix for canonical redirection problem but did not included a fix for the source code problem. - WordPress security team was informed that after the release of version 3.1.3 the vulnerability was still exploitable. - WordPress team agreed to release the security advisory. + 2011-05-26: - The advisory was released. IX. Credits This vulnerability was discovered and reported by Verónica Valeros (veronicavaleros at talsoft.com.ar <http://talsoft.com.ar>) X. Disclaimer The information provided in this document is for information purposes only. Talsoft S.R.L. accepts no responsibility for any damage caused by the use or misuse of this information. The content of this advisory may be distributed freely, provided that no fee is charged for this distribution and proper credit is given. XI. About Talsoft S.R.L. Talsoft S.R.L is a growing company with the mission to provide solutions in the following areas: + Information Security + Technology administration + Open source solutions + Trainings and courses Talsoft S.R.L. is also involved in many information security research projects. -- Penetration Tester at TalSoft S.R.L. Email: veronicavaleros () talsoft com ar <mailto:veronicavaleros () talsoft com ar> www.talsoft.com.ar <http://www.talsoft.com.ar> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3eT1IACgkQIP17Kywx9JSZ2ACfZlqLBPPG3C+feeSqe64n0ePw 6ecAn09kMCsQnJ4Vp5sMnamyeSOkyauD =DCLD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure Veronica (May 26)
- Re: Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure Zerial. (May 26)