lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 21 Jan 2013 13:59:01 +0400
From: Vladimir Vorontsov <vladimir.vorontsov@...ec.ru>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Wordpress Pingback Port Scanner

Hi all!

BTW,


      WordPress XMLRPC pingback additional issues


http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

20.01.13, 0:03, Grandma Eubanks ?????:
> >From a quick couple minute cursory check, I do not see how login checks
> differ from regular login and xmlrpc in regards to when a login limit
> plugin is used.
> Example is wordpress 3.5 and limit-login-attempts plugin.
>
> wordpress 3.5 (class-wp-xmlrpc-server.php):
> function login( $username, $password ) {
>         ...
>
>         $user = wp_authenticate($username, $password);
>
>         if (is_wp_error($user)) {
>             $this->error = new IXR_Error( 403, __( 'Incorrect username or
> password.' ) );
>             $this->error = apply_filters( 'xmlrpc_login_error',
> $this->error, $user );
>             return false;
>         }
>
>         wp_set_current_user( $user->ID );
>         return $user;
>     }
>
>
> Wordpress 3.5 (wp-includes/pluggable.php):
> function wp_authenticate($username, $password) {
>         $username = sanitize_user($username);
>         $password = trim($password);
>
>         $user = apply_filters('authenticate', null, $username, $password);
>
>        ...
>
>         return $user;
> }
>
>
> limit-login-attempts (limit-login-attempts.php):
>     add_action('wp_authenticate', 'limit_login_track_credentials', 10, 2);
>
> And the xmprpc functions seem to check authentication before proceeding,
> hitting this function anyway. Of course, it seems XFF might be fun in the
> limit plugin, but that's another story.
>
> On Sat, Jan 19, 2013 at 1:10 PM, Henri Salo <henri@...v.fi> wrote:
>
>> On Sat, Jan 19, 2013 at 08:53:24PM +0200, MustLive wrote:
>>> And when WordPress developers turned in on in WordPress 3.5 they returned
>>> the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web
>> sites
>>> were vulnerable, which had turned it on, then since WP 3.5 all web sites
>>> would be vulnerable again.
>> First of all I am impressed that you MustLive have studied this issue so
>> much and given valuable information to this mailing list. Thank you. I'll
>> bet you can give lot to the community if you start to find vulnerabilities
>> from important software and don't waste time to non-issues (not saying that
>> you haven't done this already in some level).
>>
>> Could you give me references where WordPress developers enabled XML-RPC
>> again? In my opinion this is not wise decision. The interface should have
>> at least some kind of ACL enabled. I have no idea what is now allowed or is
>> there possibility to configure the interface. Last time I tested this
>> interface it did need authentication to do some of the tasks. I did not
>> check all of them.
>>
>> - Henri Salo
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (244 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists