Re: Update to http-wp-enum.nse

[David Fifield <david () bamsoftware com>]

On Sun, Sep 18, 2011 at 07:41:04PM +0100, Duarte Silva wrote:
> Hi, 
>
> I was testing this script against a vulnerable Wordpress instalation and found 
> out that the script wasn't returning all the users that were available on that 
> instalation. I decided to investigate why this was happening and found out 
> that Wordpress, responds with a 200 HTTP status code when a user is found, but 
> doesn't has any posts. After looking at the returned web page source code, I 
> found out that it is possible to extract the user login name from the RSS feed 
> link. Something in the lines of
>
> > ... href="http://scanme.insecure.org/author/<user login>/feed/" />
>
> I have updated the script (the current version only checks for the redirect 
> that contains the user login) and got alot more results :P
>
> Also the original advisory [1] states the following:
>
> > WordPress version 3.1.3 fixes the redirection problem, but user names are
> > still been disclosed in the HTML code. No solution was provided for this
> > last problem.
>
> Checked against the latest version of Wordpress, and it is possible to obtain 
> the user login using the RSS feed link.
>
> Also updated the script to support blogs served over HTTPS.

Thanks, committed.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/