Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WordPress User Account Information Leak / Secunia Advisory SA23621

From: Ryan Dewhurst <ryandewhurst () gmail com>
Date: Mon, 8 Jul 2013 11:16:07 +0200
You can send patches, the core devs decide whether or not to accept them.

Sven's original email linked to a bug which had a patch that wasn't
accepted - https://core.trac.wordpress.org/ticket/1129


On Mon, Jul 8, 2013 at 11:08 AM, Alex <fd () daloo de> wrote:


**

I am no HTML/JS expert, but WP is open source, so why not just post a
patch instead of building plugins and/or scripts to abuse it..



https://wordpress.org/download/source/





Am 2013-07-05 15:30, schrieb Dan Ballance:

I don't *now* know if they see it as a security feature, but when you do
the install you are asked to give the admin account a username. I always
thought this was a nice additional security feature to make brute-forcing
the site more challenging. It seems I was wrong!

This is definitely in core BTW. I am slightly embarrassed to be admitting
on full disclosure that I run wordpress for a couple of quick personal
blogs (lol) - but I don't run any extensions and always keep up-to-date
with the latest release. The real trouble lies in the 3rd party extensions
(as with most applications).


On 5 July 2013 13:34, adam <adam () papsy net> wrote:


That's a very valid point, Dan. I don't use WP personally, but the
feature you're talking about, is that a core feature? Or is it offered by
some [potentially 3rd party] addon? If it's core, and this is really how
they're responding, that's mind boggling.

Why wouldn't they simply offer it as a feature in future versions, even
if they left it disabled? It's clearly doing harm by not being an option,
and would do what exactly for it to be an option? Waste 3 minutes of a
developer's time?


On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje () gmail com>wrote:


It seems crazy to me that WordPress is sensible enough to allow you to
change the default admin username to something other than "admin" - but
then so simply exposes that information to anyone that fancies scanning. I
ran wpscan last night across a couple of my installs and sure enough - my
renamed admin accounts show straight up. What a waste of time! :-/


 On 5 July 2013 10:16, Maksymilian <max () cert cx> wrote:




The corresponding trac entry for wordpress is closed as
"wontfix":
https://core.trac.wordpress.org/ticket/1129

Why?



 some people consider this as a security vulnerability but not
everybody. eg drupal

https://drupal.org/node/1004778

In Drupal, is the same problem. Using ctools, you can get username
finding

(by [Username])

https://drupal.org/?q=ctools/autocomplete/node/1

(by Amazon)

PoC:
?q=ctools/autocomplete/node/[ID]

In my opinion, this should be fixed. This idea, may be very helpful to
create botnet based on brutal force CMS.


Maksymilian Arciemowicz
http://cxsecurity.com/

  _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: