WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#5301 closed defect (bug) (wontfix)

WordPress can "leak" if a username is valid

Reported by: Viper007Bond Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.3.1
Component: Administration Keywords: has-patch, security
Focuses: Cc:

Description

When you enter a valid username but an invalid password, WordPress lets you know the username is valid by complaining that only the password is invalid.

Attached patch combines the two error messages so that if either the username or the password is wrong, it says the same error message which gives less away.

Makes it harder for a hacker to gain access to a blog.

Attachments (2)

5301.patch (1007 bytes) - added by Viper007Bond 6 years ago.
5301.2.patch (1011 bytes) - added by Viper007Bond 6 years ago.
Invalid -> Incorrect

Download all attachments as: .zip

Change History (9)

Viper007Bond6 years ago

Viper007Bond6 years ago

Invalid -> Incorrect

comment:2 foolswisdom6 years ago

  • Milestone changed from 2.3.2 to 2.5
  • Version changed from 2.3 to 2.3.1

False security? #3708 , #4290 .

comment:3 Viper007Bond6 years ago

Son of a... I knew I shoulda searched. That's what I get for being lazy.

As mentioned in #3708, a username can still be found via alternate methods in some cases.

But yeah, it doesn't stop things in the end, but why provide a username validator when we don't have to? This patch obviously won't stop a determined hacker, but just may make their life slightly harder in some cases.

comment:4 dougal6 years ago

  • Keywords security added

Thanks for putting this ticket in. I was going to do it myself, but just hadn't found the time yet.

Disclosing whether the username or password was incorrect like this is a definite security no-no. This is oooold security-fu. Security-by-obscurity? In a sense. But when you give somebody a definite part of the key, it just makes the rest that much easier. Any security knowledge base out there will tell you not to give this type of info away. Look back over the old changelogs for SSH sometime.

comment:5 foolswisdom6 years ago

The loss of usability has no benefit if this information can be attained trivially other ways.

comment:6 hempsworth6 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

I'm going to close this following the discussion on wp-hackers, and the reasons given in the previous tickets which followed the same theme.

#3708
#4290

comment:7 lloydbudd6 years ago

  • Milestone 2.6 deleted
Note: See TracTickets for help on using tickets.