Hi all!
BTW,
WordPress XMLRPC pingback additional issues
http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html
20.01.13, 0:03, Grandma Eubanks ?????:
> >From a quick couple minute cursory check, I do not see how login checks
> differ from regular login and xmlrpc in regards to when a login limit
> plugin is used.
> Example is wordpress 3.5 and limit-login-attempts plugin.
>
> wordpress 3.5 (class-wp-xmlrpc-server.php):
> function login( $username, $password ) {
> ...
>
> $user = wp_authenticate($username, $password);
>
> if (is_wp_error($user)) {
> $this->error = new IXR_Error( 403, __( 'Incorrect username or
> password.' ) );
> $this->error = apply_filters( 'xmlrpc_login_error',
> $this->error, $user );
> return false;
> }
>
> wp_set_current_user( $user->ID );
> return $user;
> }
>
>
> Wordpress 3.5 (wp-includes/pluggable.php):
> function wp_authenticate($username, $password) {
> $username = sanitize_user($username);
> $password = trim($password);
>
> $user = apply_filters('authenticate', null, $username, $password);
>
> ...
>
> return $user;
> }
>
>
> limit-login-attempts (limit-login-attempts.php):
> add_action('wp_authenticate', 'limit_login_track_credentials', 10, 2);
>
> And the xmprpc functions seem to check authentication before proceeding,
> hitting this function anyway. Of course, it seems XFF might be fun in the
> limit plugin, but that's another story.
>
> On Sat, Jan 19, 2013 at 1:10 PM, Henri Salo <henri@xxxxxxx> wrote:
>
>> On Sat, Jan 19, 2013 at 08:53:24PM +0200, MustLive wrote:
>>> And when WordPress developers turned in on in WordPress 3.5 they returned
>>> the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web
>> sites
>>> were vulnerable, which had turned it on, then since WP 3.5 all web sites
>>> would be vulnerable again.
>> First of all I am impressed that you MustLive have studied this issue so
>> much and given valuable information to this mailing list. Thank you. I'll
>> bet you can give lot to the community if you start to find vulnerabilities
>> from important software and don't waste time to non-issues (not saying that
>> you haven't done this already in some level).
>>
>> Could you give me references where WordPress developers enabled XML-RPC
>> again? In my opinion this is not wise decision. The interface should have
>> at least some kind of ACL enabled. I have no idea what is now allowed or is
>> there possibility to configure the interface. Last time I tested this
>> interface it did need authentication to do some of the tasks. I did not
>> check all of them.
>>
>> - Henri Salo
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/