WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#33056 closed defect (bug) (invalid)

Identification user login with scan tools

Reported by: aszone Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.3
Component: Security Keywords:
Focuses: Cc:

Description

A vulnerability exists in the core of WordPress that allows scanner tools identify user login through the function "body_class"

Attachments (1)

wp-includes_user_php.diff (1.1 KB) - added by aszone 5 years ago.
Correction to hide the user login, allowing you to show the field "display_name" chosen by the user

Download all attachments as: .zip

Change History (3)

@aszone
5 years ago

Correction to hide the user login, allowing you to show the field "display_name" chosen by the user

#1 follow-up: @chriscct7
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

In order to post this ticket, you first had to check a box saying you weren't reporting a security vulnerability. You then had to re-affirm this before you were able to submit this form. Next time, please follow the instructions to email potential security issues to security@{the WordPress url} instead of posting here (this ensures security issues don't become public before we can fix them).

This doesn't appear to be a valid security concern.

Usernames are not considered sensitive information. WordPress core even uses them to generate author page urls.

For more information see the following Tavern article or one of the dozens of related Trac tickets on this subject (I've included a couple below; you'll find many more by searching Trac).

http://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk
#3708
#4290
#5301
#5388
#14644

Even if there was a security issue with this, which to re-iterate there is not, the patch provided couldn't be used as pointed out indirectly in #29873, the username and user_nicename are guaranteed to be unique. The display name is not guaranteed to be unique (there can be multiple John Smiths on a single site, for example). Therefore, the patch would cause issues on sites where there are multiple authors with the same display name, thus causing them to share the same author url.

Last edited 5 years ago by chriscct7 (previous) (diff)

#2 in reply to: ↑ 1 @aszone
5 years ago

Pretty good!
Thank you for the answer.

But with the completion of studies, easily available user login provides a supplement for future attempt to brute force in the administrative environment.

About patch, do not have duplication because the user "sanitize_user" checks and creates a variation adding -1 or -2 if you have repeated user.

Replying to chriscct7:

In order to post this ticket, you first had to check a box saying you weren't reporting a security vulnerability. You then had to re-affirm this before you were able to submit this form. Next time, please follow the instructions to email potential security issues to security@{the WordPress url} instead of posting here (this ensures security issues don't become public before we can fix them).

This doesn't appear to be a valid security concern.

Usernames are not considered sensitive information. WordPress core even uses them to generate author page urls.

For more information see the following Tavern article or one of the dozens of related Trac tickets on this subject (I've included a couple below; you'll find many more by searching Trac).

http://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk
#3708
#4290
#5301
#5388
#14644

Even if there was a security issue with this, which to re-iterate there is not, the patch provided couldn't be used as pointed out indirectly in #29873, the username and user_nicename are guaranteed to be unique. The display name is not guaranteed to be unique (there can be multiple John Smiths on a single site, for example). Therefore, the patch would cause issues on sites where there are multiple authors with the same display name, thus causing them to share the same author url.

Note: See TracTickets for help on using tickets.