lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAExQ7u+pAWxH_rgKrN2mwLjd_sBbZRPrn+-bFbj5Dx3x+R3VUA@mail.gmail.com>
Date: Fri, 5 Jul 2013 07:34:48 -0500
From: adam <adam@...sy.net>
To: Dan Ballance <tzewang.dorje@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
 Maksymilian <max@...t.cx>
Subject: Re: WordPress User Account Information Leak /
 Secunia Advisory SA23621

That's a very valid point, Dan. I don't use WP personally, but the feature
you're talking about, is that a core feature? Or is it offered by some
[potentially 3rd party] addon? If it's core, and this is really how they're
responding, that's mind boggling.

Why wouldn't they simply offer it as a feature in future versions, even if
they left it disabled? It's clearly doing harm by not being an option, and
would do what exactly for it to be an option? Waste 3 minutes of a
developer's time?

On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje@...il.com>wrote:

> It seems crazy to me that WordPress is sensible enough to allow you to
> change the default admin username to something other than "admin" - but
> then so simply exposes that information to anyone that fancies scanning. I
> ran wpscan last night across a couple of my installs and sure enough - my
> renamed admin accounts show straight up. What a waste of time! :-/
>
>
> On 5 July 2013 10:16, Maksymilian <max@...t.cx> wrote:
>
>>
>>> The corresponding trac entry for wordpress is closed as
>>> "wontfix":
>>> https://core.trac.wordpress.org/ticket/1129
>>>
>>> Why?
>>>
>>>
>> some people consider this as a security vulnerability but not everybody.
>> eg drupal
>>
>> https://drupal.org/node/1004778
>>
>> In Drupal, is the same problem. Using ctools, you can get username
>> finding
>>
>> (by [Username])
>>
>> https://drupal.org/?q=ctools/autocomplete/node/1
>>
>> (by Amazon)
>>
>> PoC:
>> ?q=ctools/autocomplete/node/[ID]
>>
>> In my opinion, this should be fixed. This idea, may be very helpful to
>> create botnet based on brutal force CMS.
>>
>>
>> Maksymilian Arciemowicz
>> http://cxsecurity.com/
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ