lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Jan 2013 14:03:36 -0600
From: Grandma Eubanks <>
To: Henri Salo <>
Cc:, MustLive <>
Subject: Re: Wordpress Pingback Port Scanner

>>From a quick couple minute cursory check, I do not see how login checks
differ from regular login and xmlrpc in regards to when a login limit
plugin is used.
Example is wordpress 3.5 and limit-login-attempts plugin.

wordpress 3.5 (class-wp-xmlrpc-server.php):
function login( $username, $password ) {

        $user = wp_authenticate($username, $password);

        if (is_wp_error($user)) {
            $this->error = new IXR_Error( 403, __( 'Incorrect username or
password.' ) );
            $this->error = apply_filters( 'xmlrpc_login_error',
$this->error, $user );
            return false;

        wp_set_current_user( $user->ID );
        return $user;

Wordpress 3.5 (wp-includes/pluggable.php):
function wp_authenticate($username, $password) {
        $username = sanitize_user($username);
        $password = trim($password);

        $user = apply_filters('authenticate', null, $username, $password);


        return $user;

limit-login-attempts (limit-login-attempts.php):
    add_action('wp_authenticate', 'limit_login_track_credentials', 10, 2);

And the xmprpc functions seem to check authentication before proceeding,
hitting this function anyway. Of course, it seems XFF might be fun in the
limit plugin, but that's another story.

On Sat, Jan 19, 2013 at 1:10 PM, Henri Salo <> wrote:

> On Sat, Jan 19, 2013 at 08:53:24PM +0200, MustLive wrote:
> > And when WordPress developers turned in on in WordPress 3.5 they returned
> > the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web
> sites
> > were vulnerable, which had turned it on, then since WP 3.5 all web sites
> > would be vulnerable again.
> First of all I am impressed that you MustLive have studied this issue so
> much and given valuable information to this mailing list. Thank you. I'll
> bet you can give lot to the community if you start to find vulnerabilities
> from important software and don't waste time to non-issues (not saying that
> you haven't done this already in some level).
> Could you give me references where WordPress developers enabled XML-RPC
> again? In my opinion this is not wise decision. The interface should have
> at least some kind of ACL enabled. I have no idea what is now allowed or is
> there possibility to configure the interface. Last time I tested this
> interface it did need authentication to do some of the tasks. I did not
> check all of them.
> - Henri Salo
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists