Full Disclosure mailing list archives

Re: WordPress User Account Information Leak / Secunia Advisory SA23621


From: Alex <fd () daloo de>
Date: Mon, 08 Jul 2013 11:08:25 +0200



I am no HTML/JS expert, but WP is open source, so why not just post a
patch instead of building plugins and/or scripts to abuse it.. 

https://wordpress.org/download/source/ [7] 

Am 2013-07-05 15:30, schrieb Dan Ballance: 

I don't *now* know if they see it as a security feature, but when you do the install you are asked to give the admin 
account a username. I always thought this was a nice additional security feature to make brute-forcing the site more 
challenging. It seems I was wrong! 

This is definitely in core BTW. I am slightly embarrassed to be admitting on full disclosure that I run wordpress for 
a couple of quick personal blogs (lol) - but I don't run any extensions and always keep up-to-date with the latest 
release. The real trouble lies in the 3rd party extensions (as with most applications). 

On 5 July 2013 13:34, adam <adam () papsy net> wrote:
That's a very valid point, Dan. I don't use WP personally, but the feature you're talking about, is that a core 
feature? Or is it offered by some [potentially 3rd party] addon? If it's core, and this is really how they're 
responding, that's mind boggling. 

Why wouldn't they simply offer it as a feature in future versions, even if they left it disabled? It's clearly doing 
harm by not being an option, and would do what exactly for it to be an option? Waste 3 minutes of a developer's time? 

On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje () gmail com> wrote:

It seems crazy to me that WordPress is sensible enough to allow you to change the default admin username to something 
other than "admin" - but then so simply exposes that information to anyone that fancies scanning. I ran wpscan last 
night across a couple of my installs and sure enough - my renamed admin accounts show straight up. What a waste of 
time! :-/ 

On 5 July 2013 10:16, Maksymilian <max () cert cx> wrote: 

The corresponding trac entry for wordpress is closed as
"wontfix":
https://core.trac.wordpress.org/ticket/1129 [1]

Why?

some people consider this as a security vulnerability but not everybody. eg drupal 

https://drupal.org/node/1004778 [2] 

In Drupal, is the same problem. Using ctools, you can get username finding 

(by [Username]) 

https://drupal.org/?q=ctools/autocomplete/node/1 [3] 

(by Amazon) 

PoC: 
?q=ctools/autocomplete/node/[ID] 

In my opinion, this should be fixed. This idea, may be very helpful to create botnet based on brutal force CMS. 

Maksymilian Arciemowicz 
http://cxsecurity.com/ [4] 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
Hosted and sponsored by Secunia - http://secunia.com/ [6]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
Hosted and sponsored by Secunia - http://secunia.com/ [6] 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
Hosted and sponsored by Secunia - http://secunia.com/ [6]



Links:
------
[1] https://core.trac.wordpress.org/ticket/1129
[2] https://drupal.org/node/1004778
[3] https://drupal.org/?q=ctools/autocomplete/node/1
[4] http://cxsecurity.com/
[5] http://lists.grok.org.uk/full-disclosure-charter.html
[6] http://secunia.com/
[7] https://wordpress.org/download/source/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: