WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 20 months ago

Last modified 5 weeks ago

#20235 closed enhancement (wontfix)

the_author_posts_link() generates links with username instead of display name - this is insecure

Reported by: asdfasd567 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.1
Component: Security Keywords:
Focuses: Cc:

Description

Any instance of using username instead of display name is susceptible to the same vulnerabilities that leaving your username as "admin" is.

Suggest changing this, starting with the most common functions like the_author_posts_link() so the links generated aren't http://foo.com/author/MySecretUsername

http://wordpress.org/extend/plugins/display-name-author-permalink aims to fix this, but it throws an error on activation.

Possible to make this part of core?

Change History (13)

comment:1 wycks2 years ago

  • Type changed from defect (bug) to enhancement

I would like to second this or have some discussion. Exploit scanners now crawl usernames to facilitate brute force attacks and the_author_posts_link() does not provide a way to use "display name".

comment:2 zodiac197820 months ago

  • Cc zodiac1978 added

+1 on this.

For example: My username ist "foo" and I have set "Display name publicly as": "bar"

Then I expect that my username "foo" is not displayed anymore. Not in comment classes and not in author urls. It has to be "bar" in these cases.

This plugin provides a way to rename the author slug:
http://wordpress.org/extend/plugins/edit-author-slug/

But the core problem remains.

comment:4 asdfasd56720 months ago

  • Cc csimmonswork@… added

How to unsub from email updates?

comment:5 nacin20 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

comment:6 zodiac197820 months ago

All bugreports which are reporting things like this are closed and set to "wontfix".

Could anyone please tell a newbie why you won't fix this. Much appreciated! Thanks in Advance.

Many security posts, plugins, etc. are suggesting to change the "admin" username to something else. If I rename it, I should protect the new name and just use the nickname in public.

If the reason is just: There are other possibilities to get the username (e.g. example.com/?author=1), why don't we close all of it?

Last edited 20 months ago by zodiac1978 (previous) (diff)

comment:7 dd3220 months ago

The Display Name field is used to display on the front end of the site, ie. beside "This post was written by: Some Awesome Person". That can be changed at any time. The username is used within the URL as it doesn't change - http://example.com/author/dd32 is always me, regardless of if my Display name is 'Dion', 'dd32', or 'Awesome Blogger'.

It has been stated in previous tickets, "leaking" of the username is not deemed a security issue by WordPress.org, as it's a conscious decision to use the username as the slug in the URL, If you don't like this default behaviour, there are plugins in the repository which allow you to change the url format to your preferred layout.

Instead of attempting to provide security by forcing people to guess your username (Which btw, is incredibly easy in most cases, as people are not that inventive) you should be focusing on improving passwords, and/or considering 2 factor authentication (ie. Google Authenticator) if your passwords are known to be insecure/weak.

comment:8 follow-ups: zodiac197820 months ago

Thanks dd32!

Do you have a link to this previous tickets where this issue has been discussed? Would be great!

comment:9 in reply to: ↑ 8 ; follow-up: asdfasd56720 months ago

  • Cc csimmonswork@… removed

Replying to zodiac1978:

Thanks dd32!

Do you have a link to this previous tickets where this issue has been discussed? Would be great!

He literally just discussed it.

comment:10 in reply to: ↑ 9 zodiac197820 months ago

Replying to asdfasd567:

Replying to zodiac1978:

Thanks dd32!

Do you have a link to this previous tickets where this issue has been discussed? Would be great!

He literally just discussed it.

Indeed. Just thought, it couldn't be a bad idea to read the whole story/arguments. Just want to learn ...

comment:11 SergeyBiryukov16 months ago

#23043 was marked as a duplicate.

comment:12 in reply to: ↑ 8 SergeyBiryukov7 months ago

Replying to zodiac1978:

Do you have a link to this previous tickets where this issue has been discussed? Would be great!

See comment:3.

comment:13 ircbot5 weeks ago

This ticket was mentioned in IRC in #wordpress-dev by johnbillion. View the logs.

Note: See TracTickets for help on using tickets.