Opened 17 years ago
Closed 17 years ago
#4290 closed defect (bug) (wontfix)
Username information leak on wp-login.php
Reported by: | jimp79 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | |
Component: | Administration | Keywords: | security |
Focuses: | Cc: |
Description
The wp-login.php leaks valid usernames due to the fact that it gives different error messages if the entered user exists or not.
If the username exists the error message is: ERROR: Incorrect password.
If the username does not exist then the error message is: ERROR: Invalid username.
This vulnerability could be leveraged by an attacker to assist in performing a brute force or dictionary attack against th login form.
Attachments (1)
Change History (2)
Note: See
TracTickets for help on using
tickets.
jimp79, see the explanation here about why this isn't a bug: #3708
If you still think it's a problem, you might consider bringing it up on the wp-hackers mail list.