Ticket #4290 (closed defect: wontfix)

Opened 1 year ago

Last modified 1 year ago

Username information leak on wp-login.php

Reported by: jimp79 Assigned to: anonymous
Priority: normal Milestone:
Component: Administration Version:
Severity: major Keywords: security
Cc:

Description

The wp-login.php leaks valid usernames due to the fact that it gives different error messages if the entered user exists or not.

If the username exists the error message is: ERROR: Incorrect password. If the username does not exist then the error message is: ERROR: Invalid username.

This vulnerability could be leveraged by an attacker to assist in performing a brute force or dictionary attack against th login form.

Attachments

leak.JPG (22.1 kB) - added by jimp79 on 05/18/07 21:36:34.

Change History

05/18/07 21:36:34 changed by jimp79

  • attachment leak.JPG added.

05/18/07 22:44:08 changed by filosofo

  • status changed from new to closed.
  • resolution set to wontfix.
  • milestone deleted.

jimp79, see the explanation here about why this isn't a bug: #3708

If you still think it's a problem, you might consider bringing it up on the wp-hackers mail list.