WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#4290 closed defect (bug) (wontfix)

Username information leak on wp-login.php

Reported by: jimp79 Owned by:
Milestone: Priority: normal
Severity: major Version:
Component: Administration Keywords: security
Focuses: Cc:
PR Number:

Description

The wp-login.php leaks valid usernames due to the fact that it gives different error messages if the entered user exists or not.

If the username exists the error message is: ERROR: Incorrect password.
If the username does not exist then the error message is: ERROR: Invalid username.

This vulnerability could be leveraged by an attacker to assist in performing a brute force or dictionary attack against th login form.

Attachments (1)

leak.JPG (22.1 KB) - added by jimp79 12 years ago.

Download all attachments as: .zip

Change History (2)

@jimp79
12 years ago

#1 @filosofo
12 years ago

  • Milestone 2.3 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

jimp79, see the explanation here about why this isn't a bug: #3708

If you still think it's a problem, you might consider bringing it up on the wp-hackers mail list.

Note: See TracTickets for help on using tickets.