lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4DDE4F52.9010503@zerial.org>
Date: Thu, 26 May 2011 09:02:10 -0400
From: "Zerial." <fernando@...ial.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Talsoft S.R.L. Security Advisory - WordPress
 User IDs and User Names Disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Veronica,

Also you can "enumerate" wordpress users using the wp-login.php. When
you enter a non-existent user wordpress returns "Invalid username" and
when you enter a valid user with any random/dummie password, wordpress
returns "Invalid Password". Now you can use brute-force to enumerate all
valid users using, for example, a name&username dictionary.

Try using https://wordpress.com/wp-login.php

Is a bug? Is a vulnerability? Is a feature?



Cheers,

Zerial
http://blog.zerial.org





On 05/26/11 00:46, Veronica wrote:
> -----------------------------------------------------------------------
> Talsoft S.R.L. Security Advisory
> WordPress User IDs and User Names Disclosure
> -----------------------------------------------------------------------
> 
> I. Advisory information
> Title: WordPress User IDs and User Names Disclosure
> Advisory Id: TALSOFT-2011-0526
> Advisory URL:
> http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure
> Date published: 2011-05-26
> Vendors contacted: WordPress
> Author: Verónica Valeros
> 
> II. Vulnerability information
> Class: Insecure Direct Object References (CWE-715)
> Impact: Low
> Remotely Exploitable: Yes
> Locally Exploitable: Yes
> 
> III. Overview
> WordPress platforms use a parameter called ‘author’. This parameter
> accepts integer values and represents the ‘User ID’ of users in the
> web site. For example: http://www.example.com/?author=1
> The problems found are:
> 1. User ID values are generated consecutively.
> 2. When a valid User ID is found, WordPress redirects to a web page
> with the name of the author.
> 
> These problems trigger the following attack vectors:
> 1. The query response discloses whether the User ID is enabled.
> 2. The query response leaks (by redirection) the User Name
> corresponding with that User ID. (See update for version 3.1.3)
> 
> User IDs can be disabled, leaving holes within the consecutive
> numbers. Therefore, when an invalid User ID is sent, no redirection is
> done and no information is disclosed.
> 
> Also, the attack can be automated, sending multiple queries to extract
> valid User Names and User IDs from the vulnerable web sites.
> 
> 
> Update:
> In version 3.1.3 the redirection explained in the second attack vector
> is not done, but is still possible to find the User Name in the source
> code. Therefore, this version is still vulnerable.
> 
> IV. Affected versions
> This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2.
> Other
> versions were not tested and may be vulnerable.
> 
> V. Non affected versions
> Unknown.
> 
> VI. Proof of concept
> A Proof of Concept (PoC) is available at:
> wp-userdata-disclosure-PoC.py.tar.gz
> <http://www.talsoft.com.ar/weblog/wp-content/uploads/2011/05/wp-userdata-disclosure-PoC.py_.tar.gz>
> 
> VII. Solution
> WordPress version 3.1.3 fixes the redirection problem, but user names
> are still been disclosed in the HTML code. No solution was provided
> for this last problem.
> 
> VIII. Disclosure timeline
> + 2011-03-14:
>       - Vulnerability was identified.
> + 2011-05-11:
>       - WordPress security team was contacted.
> + 2011-05-12:
>       - WordPress confirmed the vulnerability.
> + 2011-05-25:
>       - WordPress released version 3.1.3, which included a fix for
> canonical redirection problem but did not included a fix for the
> source code problem.
>       - WordPress security team was informed that after the release of
> version 3.1.3 the vulnerability was still exploitable.
>       - WordPress team agreed to release the security advisory.
> + 2011-05-26:
>       - The advisory was released.
> 
> IX. Credits
> This vulnerability was discovered and reported by Verónica Valeros
> (veronicavaleros at talsoft.com.ar <http://talsoft.com.ar>)
> 
> X. Disclaimer
> The information provided in this document is for information purposes
> only. Talsoft S.R.L. accepts no responsibility for any damage caused
> by the use or misuse of this information. The content of this advisory
> may be distributed freely, provided that no fee is charged for this
> distribution and proper credit is given.
> 
> XI. About Talsoft S.R.L.
> Talsoft S.R.L is a growing company with the mission to provide
> solutions in the following areas:
> + Information Security
> + Technology administration
> + Open source solutions
> + Trainings and courses
> Talsoft S.R.L. is also involved in many information security research
> projects.
> 
> --
> Penetration Tester at TalSoft S.R.L.
> Email: veronicavaleros@...soft.com.ar
> <mailto:veronicavaleros@...soft.com.ar>
> www.talsoft.com.ar <http://www.talsoft.com.ar>
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3eT1IACgkQIP17Kywx9JSZ2ACfZlqLBPPG3C+feeSqe64n0ePw
6ecAn09kMCsQnJ4Vp5sMnamyeSOkyauD
=DCLD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ