Date: Mon, 08 Jul 2013 11:08:25 +0200
From: Alex <fd@...oo.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: WordPress User Account Information Leak /
 Secunia Advisory SA23621



I am no HTML/JS expert, but WP is open source, so why not just post a
patch instead of building plugins and/or scripts to abuse it.. 

https://wordpress.org/download/source/ [7] 

Am 2013-07-05 15:30, schrieb Dan Ballance: 

> I don't *now* know if they see it as a security feature, but when you do the install you are asked to give the admin account a username. I always thought this was a nice additional security feature to make brute-forcing the site more challenging. It seems I was wrong! 
> 
> This is definitely in core BTW. I am slightly embarrassed to be admitting on full disclosure that I run wordpress for a couple of quick personal blogs (lol) - but I don't run any extensions and always keep up-to-date with the latest release. The real trouble lies in the 3rd party extensions (as with most applications). 
> 
> On 5 July 2013 13:34, adam <adam@...sy.net> wrote:
> That's a very valid point, Dan. I don't use WP personally, but the feature you're talking about, is that a core feature? Or is it offered by some [potentially 3rd party] addon? If it's core, and this is really how they're responding, that's mind boggling. 
> 
> Why wouldn't they simply offer it as a feature in future versions, even if they left it disabled? It's clearly doing harm by not being an option, and would do what exactly for it to be an option? Waste 3 minutes of a developer's time? 
> 
> On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje@...il.com> wrote:
> 
> It seems crazy to me that WordPress is sensible enough to allow you to change the default admin username to something other than "admin" - but then so simply exposes that information to anyone that fancies scanning. I ran wpscan last night across a couple of my installs and sure enough - my renamed admin accounts show straight up. What a waste of time! :-/ 
> 
> On 5 July 2013 10:16, Maksymilian <max@...t.cx> wrote: 
> 
> The corresponding trac entry for wordpress is closed as
> "wontfix":
> https://core.trac.wordpress.org/ticket/1129 [1]
> 
> Why?
> 
> some people consider this as a security vulnerability but not everybody. eg drupal 
> 
> https://drupal.org/node/1004778 [2] 
> 
> In Drupal, is the same problem. Using ctools, you can get username finding 
> 
> (by [Username]) 
> 
> https://drupal.org/?q=ctools/autocomplete/node/1 [3] 
> 
> (by Amazon) 
> 
> PoC: 
> ?q=ctools/autocomplete/node/[ID] 
> 
> In my opinion, this should be fixed. This idea, may be very helpful to create botnet based on brutal force CMS. 
> 
> Maksymilian Arciemowicz 
> http://cxsecurity.com/ [4] 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
> Hosted and sponsored by Secunia - http://secunia.com/ [6]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
Hosted and sponsored by Secunia - http://secunia.com/ [6] 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5]
Hosted and sponsored by Secunia - http://secunia.com/ [6]



Links:
------
[1] https://core.trac.wordpress.org/ticket/1129
[2] https://drupal.org/node/1004778
[3] https://drupal.org/?q=ctools/autocomplete/node/1
[4] http://cxsecurity.com/
[5] http://lists.grok.org.uk/full-disclosure-charter.html
[6] http://secunia.com/
[7] https://wordpress.org/download/source/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists