[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] WordPress User Account Information Leak / Secunia Advisory SA23621

Subject: Re: [Full-disclosure] WordPress User Account Information Leak / Secunia Advisory SA23621
From: Harry Metcalfe <harry@xxxxxxx>
Date: Thu, 04 Jul 2013 14:34:50 +0100

There have been many heated debates within the community about thisissue. Unfortunately, I think a different outcome is unlikely.

WordPress's position is (I think) that usernames aren't secret, and thattherefore, username enumeration is a non-problem. I think this isextremely wrong, but it is what it is.

We solve this problem with a plugin that changes the login messages andensures that invalid usernames will prepopulate the form, as well asvalid ones.

We also look for [?|&]a=\d in the URL and remove any matches before therequest hits apache, so that attackers can't run through ?a=1, ?a=2 etclooking for redirects to author pages (which include usernames in the URL_.

I've attached the relevant code, but it would need a little work inorder to run outside our infrastructure. It is a bit fragile, and wouldneed to be changed if WordPress's login errors changed - currently,there is not a more robust way to do it, as far as we know. Feedbackwelcome if anyone knows of a better way!


Harry
http://security.dxw.com


On 04/07/13 14:22, Ivan Carlos wrote:


Can't you open a new bt about this issue?

Regards,

Em 04/07/2013 10:16, "Sven Kieske" <svenkieske@xxxxxxxxx<mailto:svenkieske@xxxxxxxxx>> escreveu:


    Hi,

    the mentioned User account Enumeration Weakness
    stated in Advisory https://secunia.com/advisories/23621/
    still exists in the actual version 3.5.2 .

    The corresponding trac entry for wordpress is closed as
    "wontfix":
    https://core.trac.wordpress.org/ticket/1129

    Why?

    Maybe, because the trac bug mentions just version 1.5 as affected?

    I can easily reproduce this in version 3.5.2 .

    Please fix this, this bug is 8 years old!

    Kind Regards

    Sven Kieske

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Attachment: login_errors.class.php
Description: application/php

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] WordPress User Account Information Leak / Secunia Advisory SA23621
  - From: Sven Kieske
- Re: [Full-disclosure] WordPress User Account Information Leak / Secunia Advisory SA23621
  - From: Ivan Carlos

Prev by Date: [Full-disclosure] LSE Leading Security Experts GmbH - LSE-2013-07-03 - rsyslog ElasticSearch Plugin
Next by Date: [Full-disclosure] eResourcePlanner Authentication Bypass/SQL Injection
Previous by thread: Re: [Full-disclosure] WordPress User Account Information Leak / Secunia Advisory SA23621
Next by thread: Re: [Full-disclosure] WordPress User Account Information Leak / Secunia Advisory SA23621
Index(es):
- Date
- Thread