| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Jul 2013 14:30:25 +0100
From: Dan Ballance <tzewang.dorje@...il.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: WordPress User Account Information Leak /
Secunia Advisory SA23621
I don't *now* know if they see it as a security feature, but when you do
the install you are asked to give the admin account a username. I always
thought this was a nice additional security feature to make brute-forcing
the site more challenging. It seems I was wrong!
This is definitely in core BTW. I am slightly embarrassed to be admitting
on full disclosure that I run wordpress for a couple of quick personal
blogs (lol) - but I don't run any extensions and always keep up-to-date
with the latest release. The real trouble lies in the 3rd party extensions
(as with most applications).
On 5 July 2013 13:34, adam <adam@...sy.net> wrote:
> That's a very valid point, Dan. I don't use WP personally, but the feature
> you're talking about, is that a core feature? Or is it offered by some
> [potentially 3rd party] addon? If it's core, and this is really how they're
> responding, that's mind boggling.
>
> Why wouldn't they simply offer it as a feature in future versions, even if
> they left it disabled? It's clearly doing harm by not being an option, and
> would do what exactly for it to be an option? Waste 3 minutes of a
> developer's time?
>
>
> On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje@...il.com>wrote:
>
>> It seems crazy to me that WordPress is sensible enough to allow you to
>> change the default admin username to something other than "admin" - but
>> then so simply exposes that information to anyone that fancies scanning. I
>> ran wpscan last night across a couple of my installs and sure enough - my
>> renamed admin accounts show straight up. What a waste of time! :-/
>>
>>
>> On 5 July 2013 10:16, Maksymilian <max@...t.cx> wrote:
>>
>>>
>>>> The corresponding trac entry for wordpress is closed as
>>>> "wontfix":
>>>> https://core.trac.wordpress.org/ticket/1129
>>>>
>>>> Why?
>>>>
>>>>
>>> some people consider this as a security vulnerability but not everybody.
>>> eg drupal
>>>
>>> https://drupal.org/node/1004778
>>>
>>> In Drupal, is the same problem. Using ctools, you can get username
>>> finding
>>>
>>> (by [Username])
>>>
>>> https://drupal.org/?q=ctools/autocomplete/node/1
>>>
>>> (by Amazon)
>>>
>>> PoC:
>>> ?q=ctools/autocomplete/node/[ID]
>>>
>>> In my opinion, this should be fixed. This idea, may be very helpful to
>>> create botnet based on brutal force CMS.
>>>
>>>
>>> Maksymilian Arciemowicz
>>> http://cxsecurity.com/
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists