Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 4 years ago

#20235 closed enhancement (wontfix)

the_author_posts_link() generates links with username instead of display name - this is insecure

Reported by: asdfasd567's profile asdfasd567 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.1
Component: Security Keywords:
Focuses: Cc:

Description

Any instance of using username instead of display name is susceptible to the same vulnerabilities that leaving your username as "admin" is.

Suggest changing this, starting with the most common functions like the_author_posts_link() so the links generated aren't http://foo.com/author/MySecretUsername

http://wordpress.org/extend/plugins/display-name-author-permalink aims to fix this, but it throws an error on activation.

Possible to make this part of core?

Change History (14)

#1 @wycks
12 years ago

  • Type changed from defect (bug) to enhancement

I would like to second this or have some discussion. Exploit scanners now crawl usernames to facilitate brute force attacks and the_author_posts_link() does not provide a way to use "display name".

#2 @zodiac1978
12 years ago

  • Cc zodiac1978 added

+1 on this.

For example: My username ist "foo" and I have set "Display name publicly as": "bar"

Then I expect that my username "foo" is not displayed anymore. Not in comment classes and not in author urls. It has to be "bar" in these cases.

This plugin provides a way to rename the author slug:
http://wordpress.org/extend/plugins/edit-author-slug/

But the core problem remains.

#4 @asdfasd567
12 years ago

  • Cc csimmonswork@… added

How to unsub from email updates?

#5 @nacin
12 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

#6 @zodiac1978
12 years ago

All bugreports which are reporting things like this are closed and set to "wontfix".

Could anyone please tell a newbie why you won't fix this. Much appreciated! Thanks in Advance.

Many security posts, plugins, etc. are suggesting to change the "admin" username to something else. If I rename it, I should protect the new name and just use the nickname in public.

If the reason is just: There are other possibilities to get the username (e.g. example.com/?author=1), why don't we close all of it?

Last edited 12 years ago by zodiac1978 (previous) (diff)

#7 @dd32
12 years ago

The Display Name field is used to display on the front end of the site, ie. beside "This post was written by: Some Awesome Person". That can be changed at any time. The username is used within the URL as it doesn't change - http://example.com/author/dd32 is always me, regardless of if my Display name is 'Dion', 'dd32', or 'Awesome Blogger'.

It has been stated in previous tickets, "leaking" of the username is not deemed a security issue by WordPress.org, as it's a conscious decision to use the username as the slug in the URL, If you don't like this default behaviour, there are plugins in the repository which allow you to change the url format to your preferred layout.

Instead of attempting to provide security by forcing people to guess your username (Which btw, is incredibly easy in most cases, as people are not that inventive) you should be focusing on improving passwords, and/or considering 2 factor authentication (ie. Google Authenticator) if your passwords are known to be insecure/weak.

#8 follow-ups: @zodiac1978
12 years ago

Thanks dd32!

Do you have a link to this previous tickets where this issue has been discussed? Would be great!

#9 in reply to: ↑ 8 ; follow-up: @asdfasd567
12 years ago

  • Cc csimmonswork@… removed

Replying to zodiac1978:

Thanks dd32!

Do you have a link to this previous tickets where this issue has been discussed? Would be great!

He literally just discussed it.

#10 in reply to: ↑ 9 @zodiac1978
12 years ago

Replying to asdfasd567:

Replying to zodiac1978:

Thanks dd32!

Do you have a link to this previous tickets where this issue has been discussed? Would be great!

He literally just discussed it.

Indeed. Just thought, it couldn't be a bad idea to read the whole story/arguments. Just want to learn ...

#11 @SergeyBiryukov
11 years ago

#23043 was marked as a duplicate.

#12 in reply to: ↑ 8 @SergeyBiryukov
10 years ago

Replying to zodiac1978:

Do you have a link to this previous tickets where this issue has been discussed? Would be great!

See comment:3.

This ticket was mentioned in IRC in #wordpress-dev by johnbillion. View the logs.


10 years ago

This ticket was mentioned in Slack in #forums by clorith. View the logs.


4 years ago

Note: See TracTickets for help on using tickets.