Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WordPress User Account Information Leak / Secunia Advisory SA23621

From: Dan Ballance <tzewang.dorje () gmail com>
Date: Mon, 8 Jul 2013 10:15:54 +0100
Hi Alex,

I think you may have misread my post. I said I am pretty sure the username
changing is a feature of the core installation. I don't run any Wordpress
plugins unless thoroughly security audited and most of the time I am just
looking for a quick blog so I can publish something I want to say, so I
just tend to run the core site and live with its limitations.


On 8 July 2013 10:08, Alex <fd () daloo de> wrote:


**

I am no HTML/JS expert, but WP is open source, so why not just post a
patch instead of building plugins and/or scripts to abuse it..



https://wordpress.org/download/source/





Am 2013-07-05 15:30, schrieb Dan Ballance:

I don't *now* know if they see it as a security feature, but when you do
the install you are asked to give the admin account a username. I always
thought this was a nice additional security feature to make brute-forcing
the site more challenging. It seems I was wrong!

This is definitely in core BTW. I am slightly embarrassed to be admitting
on full disclosure that I run wordpress for a couple of quick personal
blogs (lol) - but I don't run any extensions and always keep up-to-date
with the latest release. The real trouble lies in the 3rd party extensions
(as with most applications).


On 5 July 2013 13:34, adam <adam () papsy net> wrote:


That's a very valid point, Dan. I don't use WP personally, but the
feature you're talking about, is that a core feature? Or is it offered by
some [potentially 3rd party] addon? If it's core, and this is really how
they're responding, that's mind boggling.

Why wouldn't they simply offer it as a feature in future versions, even
if they left it disabled? It's clearly doing harm by not being an option,
and would do what exactly for it to be an option? Waste 3 minutes of a
developer's time?


On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje () gmail com>wrote:


It seems crazy to me that WordPress is sensible enough to allow you to
change the default admin username to something other than "admin" - but
then so simply exposes that information to anyone that fancies scanning. I
ran wpscan last night across a couple of my installs and sure enough - my
renamed admin accounts show straight up. What a waste of time! :-/


 On 5 July 2013 10:16, Maksymilian <max () cert cx> wrote:




The corresponding trac entry for wordpress is closed as
"wontfix":
https://core.trac.wordpress.org/ticket/1129

Why?



 some people consider this as a security vulnerability but not
everybody. eg drupal

https://drupal.org/node/1004778

In Drupal, is the same problem. Using ctools, you can get username
finding

(by [Username])

https://drupal.org/?q=ctools/autocomplete/node/1

(by Amazon)

PoC:
?q=ctools/autocomplete/node/[ID]

In my opinion, this should be fixed. This idea, may be very helpful to
create botnet based on brutal force CMS.


Maksymilian Arciemowicz
http://cxsecurity.com/

  _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: