Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Update to http-wp-enum.nse

From: Duarte Silva <duarte.silva () serializing me>
Date: Sun, 18 Sep 2011 19:41:04 +0100
Hi, 

I was testing this script against a vulnerable Wordpress instalation and found 
out that the script wasn't returning all the users that were available on that 
instalation. I decided to investigate why this was happening and found out 
that Wordpress, responds with a 200 HTTP status code when a user is found, but 
doesn't has any posts. After looking at the returned web page source code, I 
found out that it is possible to extract the user login name from the RSS feed 
link. Something in the lines of


... href="http://scanme.insecure.org/author/<user login>/feed/" />


I have updated the script (the current version only checks for the redirect 
that contains the user login) and got alot more results :P

Also the original advisory [1] states the following:


WordPress version 3.1.3 fixes the redirection problem, but user names are
still been disclosed in the HTML code. No solution was provided for this
last problem.


Checked against the latest version of Wordpress, and it is possible to obtain 
the user login using the RSS feed link.

Also updated the script to support blogs served over HTTPS.

[1] http://www.talsoft.com.ar/index.php/research/security-
advisories/wordpress-user-id-and-user-name-disclosure

Regards,
Duarte Silva

Index: scripts/http-wp-enum.nse
===================================================================
--- scripts/http-wp-enum.nse    (revision 26589)
+++ scripts/http-wp-enum.nse    (working copy)
@@ -51,8 +51,11 @@
   if req.status then
     stdnse.print_debug(1, "%s: User id #%s returned status %s", SCRIPT_NAME, id, req.status)
     if req.status == 301 then
-      local _, _, user = string.find(req.header.location, 'http://.*/.*/(.*)/')
+      local _, _, user = string.find(req.header.location, 'https?://.*/.*/(.*)/')
       return user
+    elseif req.status == 200 then
+      local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed/')
+      return user
     end
   end
   return false

Attachment: smime.p7s
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: