Ticket #5301 (closed defect: wontfix)

Opened 8 months ago

Last modified 5 months ago

WordPress can "leak" if a username is valid

Reported by: Viper007Bond Assigned to: anonymous
Priority: normal Milestone:
Component: Administration Version: 2.3.1
Severity: normal Keywords: has-patch, security
Cc:

Description

When you enter a valid username but an invalid password, WordPress lets you know the username is valid by complaining that only the password is invalid.

Attached patch combines the two error messages so that if either the username or the password is wrong, it says the same error message which gives less away.

Makes it harder for a hacker to gain access to a blog.

Attachments

5301.patch (1.0 kB) - added by Viper007Bond on 11/01/07 05:17:12.
5301.2.patch (1.0 kB) - added by Viper007Bond on 11/01/07 05:18:51.
Invalid -> Incorrect

Change History

11/01/07 05:17:12 changed by Viper007Bond

  • attachment 5301.patch added.

11/01/07 05:18:51 changed by Viper007Bond

  • attachment 5301.2.patch added.

Invalid -> Incorrect

11/01/07 05:21:56 changed by Viper007Bond

Oh, props to http://dougal.gunters.org/blog/2007/10/30/securing-wordpress

11/01/07 05:43:24 changed by foolswisdom

  • version changed from 2.3 to 2.3.1.
  • milestone changed from 2.3.2 to 2.5.

False security? #3708 , #4290 .

11/01/07 05:55:09 changed by Viper007Bond

Son of a... I knew I shoulda searched. That's what I get for being lazy.

As mentioned in #3708, a username can still be found via alternate methods in some cases.

But yeah, it doesn't stop things in the end, but why provide a username validator when we don't have to? This patch obviously won't stop a determined hacker, but just may make their life slightly harder in some cases.

11/01/07 14:04:04 changed by dougal

  • keywords changed from has-patch to has-patch, security.

Thanks for putting this ticket in. I was going to do it myself, but just hadn't found the time yet.

Disclosing whether the username or password was incorrect like this is a definite security no-no. This is oooold security-fu. Security-by-obscurity? In a sense. But when you give somebody a definite part of the key, it just makes the rest that much easier. Any security knowledge base out there will tell you not to give this type of info away. Look back over the old changelogs for SSH sometime.

11/01/07 16:26:22 changed by foolswisdom

The loss of usability has no benefit if this information can be attained trivially other ways.

02/19/08 13:49:34 changed by hempsworth

  • status changed from new to closed.
  • resolution set to wontfix.

I'm going to close this following the discussion on wp-hackers, and the reasons given in the previous tickets which followed the same theme.

#3708
#4290

02/19/08 17:12:30 changed by lloydbudd

  • milestone deleted.