[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] WordPress User Account Information Leak / Secunia Advisory SA23621
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] WordPress User Account Information Leak / Secunia Advisory SA23621
- From: Alex <fd@xxxxxxxx>
- Date: Mon, 08 Jul 2013 11:08:25 +0200
I am no HTML/JS expert, but WP is open source, so why not just post a
patch instead of building plugins and/or scripts to abuse it..
https://wordpress.org/download/source/ [7]
Am 2013-07-05 15:30, schrieb Dan Ballance:
> I don't *now* know if they see it as a security feature, but when you do the
> install you are asked to give the admin account a username. I always thought
> this was a nice additional security feature to make brute-forcing the site
> more challenging. It seems I was wrong!
>
> This is definitely in core BTW. I am slightly embarrassed to be admitting on
> full disclosure that I run wordpress for a couple of quick personal blogs
> (lol) - but I don't run any extensions and always keep up-to-date with the
> latest release. The real trouble lies in the 3rd party extensions (as with
> most applications).
>
> On 5 July 2013 13:34, adam <adam@xxxxxxxxx> wrote:
> That's a very valid point, Dan. I don't use WP personally, but the feature
> you're talking about, is that a core feature? Or is it offered by some
> [potentially 3rd party] addon? If it's core, and this is really how they're
> responding, that's mind boggling.
>
> Why wouldn't they simply offer it as a feature in future versions, even if
> they left it disabled? It's clearly doing harm by not being an option, and
> would do what exactly for it to be an option? Waste 3 minutes of a
> developer's time?
>
> On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje@xxxxxxxxx> wrote:
>
> It seems crazy to me that WordPress is sensible enough to allow you to change
> the default admin username to something other than "admin" - but then so
> simply exposes that information to anyone that fancies scanning. I ran wpscan
> last night across a couple of my installs and sure enough - my renamed admin
> accounts show straight up. What a waste of time! :-/
>
> On 5 July 2013 10:16, Maksymilian <max@xxxxxxx> wrote:
>
> The corresponding trac entry for wordpress is closed as
> "wontfix":
> https://core.trac.wordpress.org/ticket/1129 [1]
>
> Why?
>
> some people consider this as a security vulnerability but not everybody. eg
> drupal
>
> https://drupal.org/node/1004778 [2]
>
> In Drupal, is the same problem. Using ctools, you can get username finding
>
> (by [Username])
>
> https://drupal.org/?q=ctools/autocomplete/node/1 [3]
>
> (by Amazon)
>
> PoC:
> ?q=ctools/autocomplete/node/[ID]
>
> In my opinion, this should be fixed. This idea, may be very helpful to create
> botnet based on brutal force CMS.
>
> Maksymilian Arciemowicz
> http://cxsecurity.com/ [4]
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
> Hosted and sponsored by Secunia - http://secunia.com/ [6]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
Hosted and sponsored by Secunia - http://secunia.com/ [6]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
Hosted and sponsored by Secunia - http://secunia.com/ [6]
Links:
------
[1] https://core.trac.wordpress.org/ticket/1129
[2] https://drupal.org/node/1004778
[3] https://drupal.org/?q=ctools/autocomplete/node/1
[4] http://cxsecurity.com/
[5] http://lists.grok.org.uk/full-disclosure-charter.html
[6] http://secunia.com/
[7] https://wordpress.org/download/source/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/