Full Disclosure mailing list archives
Re: WordPress User Account Information Leak / Secunia Advisory SA23621
From: adam <adam () papsy net>
Date: Fri, 5 Jul 2013 07:34:48 -0500
That's a very valid point, Dan. I don't use WP personally, but the feature you're talking about, is that a core feature? Or is it offered by some [potentially 3rd party] addon? If it's core, and this is really how they're responding, that's mind boggling. Why wouldn't they simply offer it as a feature in future versions, even if they left it disabled? It's clearly doing harm by not being an option, and would do what exactly for it to be an option? Waste 3 minutes of a developer's time? On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje () gmail com>wrote:
It seems crazy to me that WordPress is sensible enough to allow you to change the default admin username to something other than "admin" - but then so simply exposes that information to anyone that fancies scanning. I ran wpscan last night across a couple of my installs and sure enough - my renamed admin accounts show straight up. What a waste of time! :-/ On 5 July 2013 10:16, Maksymilian <max () cert cx> wrote:The corresponding trac entry for wordpress is closed as "wontfix": https://core.trac.wordpress.org/ticket/1129 Why?some people consider this as a security vulnerability but not everybody. eg drupal https://drupal.org/node/1004778 In Drupal, is the same problem. Using ctools, you can get username finding (by [Username]) https://drupal.org/?q=ctools/autocomplete/node/1 (by Amazon) PoC: ?q=ctools/autocomplete/node/[ID] In my opinion, this should be fixed. This idea, may be very helpful to create botnet based on brutal force CMS. Maksymilian Arciemowicz http://cxsecurity.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Maksymilian (Jul 05)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Dan Ballance (Jul 05)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 adam (Jul 05)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Dan Ballance (Jul 05)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Alex (Jul 08)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Ryan Dewhurst (Jul 08)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Dan Ballance (Jul 08)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 adam (Jul 05)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Maksymilian (Jul 05)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Dan Ballance (Jul 05)