This 26 may, a researcher (Veronica Valero of Talsoft S.R.L.) posted a security threat affecting WordPress blogs on Direct Object Reference.
A reply posted by “Zerial” on the mailing list explained another vulnerability on WordPress.
It is possible via a simple test on the login box to know if a username is used on a wordpress blog. The test is pretty simple, it analyse the return message while trying to login on WordPress.
For example on the following website (http://www.noktec.be/wp-admin/) while trying to log with the user-name “test” (fake)
The return message given when the account was active was :
Error: The password you entered for the username test is incorrect. Lost your password ?
The return message given when the account was not active was:
Error: Invalid username. Lost your password ?
This vulnerability was already report in the OSVDB 55713 in 2009 but was still active.
A patch was released by “EthicalHack3r” :
wp-includes/user.php:91
Change:
1 |
return new WP_Error('invalid_username', sprintf(__('ERROR: Invalid username. <a title="Password Lost and Found" href="http://www.noktec.com%s">Lost your password< /a>?'), site_url('wp-login.php?action=lostpassword', 'login')));</a> |
To:
1 |
return new WP_Error( 'invalid_username', sprintf( __( 'ERROR: Invalid username and/or password.'))); |
and change
wp-includes/user.php:111
Change:
1 |
return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: The password you entered for the username %1$s is incorrect. Lost your password?' ) |
To:
1 |
return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: Invalid username and/or password.'))); |
( source : EthicalHack3r)
And that’s it.
Post a Comment