Full Disclosure mailing list archives

Re: WordPress User Account Information Leak / Secunia Advisory SA23621


From: Harry Metcalfe <harry () dxw com>
Date: Fri, 05 Jul 2013 13:57:19 +0100

There have been many heated debates within the community about this issue. Unfortunately, I think a different outcome is unlikely.

WordPress's position is (I think) that usernames aren't secret, and that therefore, username enumeration is a non-problem. I think this is extremely wrong, but it is what it is.

We solve this problem with a plugin that changes the login messages and ensures that invalid usernames will prepopulate the form, as well as valid ones.

We also look for [?|&]a=\d in the URL and remove any matches before the request hits apache, so that attackers can't run through ?a=1, ?a=2 etc looking for redirects to author pages (which include usernames in the URL_.

Harry
http://security.dxw.com


On 04/07/13 14:22, Ivan Carlos wrote:

Can't you open a new bt about this issue?

Regards,

Em 04/07/2013 10:16, "Sven Kieske" <svenkieske () gmail com <mailto:svenkieske () gmail com>> escreveu:

    Hi,

    the mentioned User account Enumeration Weakness
    stated in Advisory https://secunia.com/advisories/23621/
    still exists in the actual version 3.5.2 .

    The corresponding trac entry for wordpress is closed as
    "wontfix":
    https://core.trac.wordpress.org/ticket/1129

    Why?

    Maybe, because the trac bug mentions just version 1.5 as affected?

    I can easily reproduce this in version 3.5.2 .

    Please fix this, this bug is 8 years old!

    Kind Regards

    Sven Kieske

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter:http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: