| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANtF8NAaTJr1TwtwudWowv3JOqCwFM8fs4658Zh3S=z=jXoQFQ@mail.gmail.com>
Date: Sat, 19 Jan 2013 14:03:36 -0600
From: Grandma Eubanks <tborland1@...il.com>
To: Henri Salo <henri@...v.fi>
Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua>
Subject: Re: Wordpress Pingback Port Scanner
>>From a quick couple minute cursory check, I do not see how login checks
differ from regular login and xmlrpc in regards to when a login limit
plugin is used.
Example is wordpress 3.5 and limit-login-attempts plugin.
wordpress 3.5 (class-wp-xmlrpc-server.php):
function login( $username, $password ) {
...
$user = wp_authenticate($username, $password);
if (is_wp_error($user)) {
$this->error = new IXR_Error( 403, __( 'Incorrect username or
password.' ) );
$this->error = apply_filters( 'xmlrpc_login_error',
$this->error, $user );
return false;
}
wp_set_current_user( $user->ID );
return $user;
}
Wordpress 3.5 (wp-includes/pluggable.php):
function wp_authenticate($username, $password) {
$username = sanitize_user($username);
$password = trim($password);
$user = apply_filters('authenticate', null, $username, $password);
...
return $user;
}
limit-login-attempts (limit-login-attempts.php):
add_action('wp_authenticate', 'limit_login_track_credentials', 10, 2);
And the xmprpc functions seem to check authentication before proceeding,
hitting this function anyway. Of course, it seems XFF might be fun in the
limit plugin, but that's another story.
On Sat, Jan 19, 2013 at 1:10 PM, Henri Salo <henri@...v.fi> wrote:
> On Sat, Jan 19, 2013 at 08:53:24PM +0200, MustLive wrote:
> > And when WordPress developers turned in on in WordPress 3.5 they returned
> > the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web
> sites
> > were vulnerable, which had turned it on, then since WP 3.5 all web sites
> > would be vulnerable again.
>
> First of all I am impressed that you MustLive have studied this issue so
> much and given valuable information to this mailing list. Thank you. I'll
> bet you can give lot to the community if you start to find vulnerabilities
> from important software and don't waste time to non-issues (not saying that
> you haven't done this already in some level).
>
> Could you give me references where WordPress developers enabled XML-RPC
> again? In my opinion this is not wise decision. The interface should have
> at least some kind of ACL enabled. I have no idea what is now allowed or is
> there possibility to configure the interface. Last time I tested this
> interface it did need authentication to do some of the tasks. I did not
> check all of them.
>
> - Henri Salo
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists