lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CABgXHn-nhLXNK93VgDmKyhOhYugLESxUq5navtdbmqoi4T_HvQ@mail.gmail.com>
Date: Mon, 8 Jul 2013 10:15:54 +0100
From: Dan Ballance <tzewang.dorje@...il.com>
To: Alex <fd@...oo.de>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: WordPress User Account Information Leak /
 Secunia Advisory SA23621

Hi Alex,

I think you may have misread my post. I said I am pretty sure the username
changing is a feature of the core installation. I don't run any Wordpress
plugins unless thoroughly security audited and most of the time I am just
looking for a quick blog so I can publish something I want to say, so I
just tend to run the core site and live with its limitations.


On 8 July 2013 10:08, Alex <fd@...oo.de> wrote:

> **
>
> I am no HTML/JS expert, but WP is open source, so why not just post a
> patch instead of building plugins and/or scripts to abuse it..
>
>
>
> https://wordpress.org/download/source/
>
>
>
>
>
> Am 2013-07-05 15:30, schrieb Dan Ballance:
>
> I don't *now* know if they see it as a security feature, but when you do
> the install you are asked to give the admin account a username. I always
> thought this was a nice additional security feature to make brute-forcing
> the site more challenging. It seems I was wrong!
>
> This is definitely in core BTW. I am slightly embarrassed to be admitting
> on full disclosure that I run wordpress for a couple of quick personal
> blogs (lol) - but I don't run any extensions and always keep up-to-date
> with the latest release. The real trouble lies in the 3rd party extensions
> (as with most applications).
>
>
> On 5 July 2013 13:34, adam <adam@...sy.net> wrote:
>
>> That's a very valid point, Dan. I don't use WP personally, but the
>> feature you're talking about, is that a core feature? Or is it offered by
>> some [potentially 3rd party] addon? If it's core, and this is really how
>> they're responding, that's mind boggling.
>>
>> Why wouldn't they simply offer it as a feature in future versions, even
>> if they left it disabled? It's clearly doing harm by not being an option,
>> and would do what exactly for it to be an option? Waste 3 minutes of a
>> developer's time?
>>
>>
>> On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <tzewang.dorje@...il.com>wrote:
>>
>>> It seems crazy to me that WordPress is sensible enough to allow you to
>>> change the default admin username to something other than "admin" - but
>>> then so simply exposes that information to anyone that fancies scanning. I
>>> ran wpscan last night across a couple of my installs and sure enough - my
>>> renamed admin accounts show straight up. What a waste of time! :-/
>>>
>>>
>>>  On 5 July 2013 10:16, Maksymilian <max@...t.cx> wrote:
>>>
>>>>
>>>>> The corresponding trac entry for wordpress is closed as
>>>>> "wontfix":
>>>>> https://core.trac.wordpress.org/ticket/1129
>>>>>
>>>>> Why?
>>>>>
>>>>>
>>>>  some people consider this as a security vulnerability but not
>>>> everybody. eg drupal
>>>>
>>>> https://drupal.org/node/1004778
>>>>
>>>> In Drupal, is the same problem. Using ctools, you can get username
>>>> finding
>>>>
>>>> (by [Username])
>>>>
>>>> https://drupal.org/?q=ctools/autocomplete/node/1
>>>>
>>>> (by Amazon)
>>>>
>>>> PoC:
>>>> ?q=ctools/autocomplete/node/[ID]
>>>>
>>>> In my opinion, this should be fixed. This idea, may be very helpful to
>>>> create botnet based on brutal force CMS.
>>>>
>>>>
>>>> Maksymilian Arciemowicz
>>>> http://cxsecurity.com/
>>>>
>>>>   _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ