Full Disclosure: Re: WordPress User Account Information Leak / Secunia Advisory SA23621

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Re: WordPress User Account Information Leak / Secunia Advisory SA23621

From: Harry Metcalfe <harry () dxw com>
Date: Fri, 05 Jul 2013 13:57:19 +0100

There have been many heated debates within the community about thisissue. Unfortunately, I think a different outcome is unlikely.

WordPress's position is (I think) that usernames aren't secret, and thattherefore, username enumeration is a non-problem. I think this isextremely wrong, but it is what it is.

We solve this problem with a plugin that changes the login messages andensures that invalid usernames will prepopulate the form, as well asvalid ones.

We also look for [?|&]a=\d in the URL and remove any matches before therequest hits apache, so that attackers can't run through ?a=1, ?a=2 etclooking for redirects to author pages (which include usernames in the URL_.


Harry
http://security.dxw.com


On 04/07/13 14:22, Ivan Carlos wrote:


Can't you open a new bt about this issue?

Regards,

Em 04/07/2013 10:16, "Sven Kieske" <svenkieske () gmail com<mailto:svenkieske () gmail com>> escreveu:


    Hi,

    the mentioned User account Enumeration Weakness
    stated in Advisory https://secunia.com/advisories/23621/
    still exists in the actual version 3.5.2 .

    The corresponding trac entry for wordpress is closed as
    "wontfix":
    https://core.trac.wordpress.org/ticket/1129

    Why?

    Maybe, because the trac bug mentions just version 1.5 as affected?

    I can easily reproduce this in version 3.5.2 .

    Please fix this, this bug is 8 years old!

    Kind Regards

    Sven Kieske

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter:http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

WordPress User Account Information Leak / Secunia Advisory SA23621 Sven Kieske (Jul 04)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 \"><script>alert(1)</script> (Jul 04)
  - Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Tavis Ormandy (Jul 06)
- Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Ivan Carlos (Jul 04)
  - Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Harry Metcalfe (Jul 05)
  - Re: WordPress User Account Information Leak / Secunia Advisory SA23621 Harry Metcalfe (Jul 05)