| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Jul 2013 07:34:48 -0500
From: adam <adam@...sy.net>
To: Dan Ballance <tzewang.dorje@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
Maksymilian <max@...t.cx>
Subject: Re: WordPress User Account Information Leak /
Secunia Advisory SA23621
That's a very valid point, Dan. I don't use WP personally, but the feature
you're talking about, is that a core feature? Or is it offered by some
[potentially 3rd party] addon? If it's core, and this is really how they're
responding, that's mind boggling.
Why wouldn't they simply offer it as a feature in future versions, even if
they left it disabled? It's clearly doing harm by not being an option, and
would do what exactly for it to be an option? Waste 3 minutes of a
developer's time?
On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje@...il.com>wrote:
> It seems crazy to me that WordPress is sensible enough to allow you to
> change the default admin username to something other than "admin" - but
> then so simply exposes that information to anyone that fancies scanning. I
> ran wpscan last night across a couple of my installs and sure enough - my
> renamed admin accounts show straight up. What a waste of time! :-/
>
>
> On 5 July 2013 10:16, Maksymilian <max@...t.cx> wrote:
>
>>
>>> The corresponding trac entry for wordpress is closed as
>>> "wontfix":
>>> https://core.trac.wordpress.org/ticket/1129
>>>
>>> Why?
>>>
>>>
>> some people consider this as a security vulnerability but not everybody.
>> eg drupal
>>
>> https://drupal.org/node/1004778
>>
>> In Drupal, is the same problem. Using ctools, you can get username
>> finding
>>
>> (by [Username])
>>
>> https://drupal.org/?q=ctools/autocomplete/node/1
>>
>> (by Amazon)
>>
>> PoC:
>> ?q=ctools/autocomplete/node/[ID]
>>
>> In my opinion, this should be fixed. This idea, may be very helpful to
>> create botnet based on brutal force CMS.
>>
>>
>> Maksymilian Arciemowicz
>> http://cxsecurity.com/
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists