Nmap Development mailing list archives
Re: Update to http-wp-enum.nse
From: David Fifield <david () bamsoftware com>
Date: Fri, 30 Sep 2011 19:02:21 -0700
On Sun, Sep 18, 2011 at 07:41:04PM +0100, Duarte Silva wrote:
Hi, I was testing this script against a vulnerable Wordpress instalation and found out that the script wasn't returning all the users that were available on that instalation. I decided to investigate why this was happening and found out that Wordpress, responds with a 200 HTTP status code when a user is found, but doesn't has any posts. After looking at the returned web page source code, I found out that it is possible to extract the user login name from the RSS feed link. Something in the lines of... href="http://scanme.insecure.org/author/<user login>/feed/" />I have updated the script (the current version only checks for the redirect that contains the user login) and got alot more results :P Also the original advisory [1] states the following:WordPress version 3.1.3 fixes the redirection problem, but user names are still been disclosed in the HTML code. No solution was provided for this last problem.Checked against the latest version of Wordpress, and it is possible to obtain the user login using the RSS feed link. Also updated the script to support blogs served over HTTPS.
Thanks, committed. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Update to http-wp-enum.nse Duarte Silva (Sep 18)
- Re: Update to http-wp-enum.nse David Fifield (Sep 30)