Ticket #3708 (closed defect: wontfix)

Opened 2 years ago

Last modified 2 years ago

wp_login is too "friendly" -- Information disclosure

Reported by: charleshooper Assigned to: anonymous
Priority: low Milestone:
Component: Security Version: 2.2
Severity: trivial Keywords: security login has-patch
Cc:

Description

While it's not exactly the end of the world, if you attempt to login with an invalid username the error message returned is actually "Invalid username." Obviously it works as intended; However, I consider this information disclosure and feel that invalid usernames and passwords should both return the same error message.

Attachments

wp_login.diff (0.9 kB) - added by charleshooper on 01/29/07 09:08:46.
"Fix" for ticket #3708

Change History

01/29/07 09:08:46 changed by charleshooper

  • attachment wp_login.diff added.

"Fix" for ticket #3708

01/29/07 09:12:04 changed by charleshooper

  • keywords changed from security login error to security login has-patch.

01/29/07 10:20:21 changed by charleshooper

  • version set to 2.2.
  • milestone changed from 2.3 to 2.2.

01/29/07 16:31:02 changed by markjaquith

There are other ways to verify user names. You can reverse engineer them from the author archive URLs (e.g. http://example.com/author/mark/). I believe the consensus last time this came up was that it was trivial to figure out the user names anyway, and that it is much more user-friendly to tell them when they messed up their username, and not the password. Also, "admin" is created on install, and can't be changed using WordPress itself, so there's no hiding that.

01/29/07 23:31:57 changed by charleshooper

  • status changed from new to closed.
  • resolution set to wontfix.

Good point about the author archives, I hadn't really thought about that. Guess I was just excited about submitting my first patch for Wordpress, even IF it was only to change some error messages.

But now that I've been reminded that there are many other ways to get valid Wordpress usernames (that are all quite a bit easier than brute forcing the login) it just doesn't make sense to leave this ticket hanging.

01/30/07 21:46:41 changed by foolswisdom

  • milestone deleted.