#33056 closed defect (bug) (invalid)
Identification user login with scan tools
Reported by: | aszone | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.3 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
A vulnerability exists in the core of WordPress that allows scanner tools identify user login through the function "body_class"
Attachments (1)
Change History (3)
#1
follow-up:
↓ 2
@
9 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
In order to post this ticket, you first had to check a box saying you weren't reporting a security vulnerability. You then had to re-affirm this before you were able to submit this form. Next time, please follow the instructions to email potential security issues to security@{the WordPress url}.
This doesn't appear to be a valid security concern. Usernames are not considered sensitive information. WordPress core even uses them to generate author page urls.
For more information see the following Tavern article or one of the dozens of related Trac tickets on this subject (a sample of which is below).
http://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk
#3708
#4290
#5301
#5388
#14644
Even if there was a security issue with this, which to re-iterate there is not, the patch provided couldn't be used as pointed out indirectly in #29873, the username and user_nicename are guaranteed to be unique. The display name is not guaranteed to be unique (there can be multiple John Smiths on a single site, for example). Therefore, the patch would cause issues on sites where there are multiple authors with the same display name, thus causing them to share the same author url.
#2
in reply to:
↑ 1
@
9 years ago
Pretty good!
Thank you for the answer.
But with the completion of studies, easily available user login provides a supplement for future attempt to brute force in the administrative environment.
About patch, do not have duplication because the user "sanitize_user" checks and creates a variation adding -1 or -2 if you have repeated user.
Replying to chriscct7:
In order to post this ticket, you first had to check a box saying you weren't reporting a security vulnerability. You then had to re-affirm this before you were able to submit this form. Next time, please follow the instructions to email potential security issues to security@{the WordPress url} instead of posting here (this ensures security issues don't become public before we can fix them).
This doesn't appear to be a valid security concern.
Usernames are not considered sensitive information. WordPress core even uses them to generate author page urls.
For more information see the following Tavern article or one of the dozens of related Trac tickets on this subject (I've included a couple below; you'll find many more by searching Trac).
http://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk
#3708
#4290
#5301
#5388
#14644
Even if there was a security issue with this, which to re-iterate there is not, the patch provided couldn't be used as pointed out indirectly in #29873, the username and user_nicename are guaranteed to be unique. The display name is not guaranteed to be unique (there can be multiple John Smiths on a single site, for example). Therefore, the patch would cause issues on sites where there are multiple authors with the same display name, thus causing them to share the same author url.
Correction to hide the user login, allowing you to show the field "display_name" chosen by the user