#5301 closed defect (bug) (wontfix)
WordPress can "leak" if a username is valid
Reported by: | Viper007Bond | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.3.1 |
Component: | Administration | Keywords: | has-patch, security |
Focuses: | Cc: |
Description
When you enter a valid username but an invalid password, WordPress lets you know the username is valid by complaining that only the password is invalid.
Attached patch combines the two error messages so that if either the username or the password is wrong, it says the same error message which gives less away.
Makes it harder for a hacker to gain access to a blog.
Attachments (2)
Change History (10)
#3
@
17 years ago
Son of a... I knew I shoulda searched. That's what I get for being lazy.
As mentioned in #3708, a username can still be found via alternate methods in some cases.
But yeah, it doesn't stop things in the end, but why provide a username validator when we don't have to? This patch obviously won't stop a determined hacker, but just may make their life slightly harder in some cases.
#4
@
17 years ago
- Keywords security added
Thanks for putting this ticket in. I was going to do it myself, but just hadn't found the time yet.
Disclosing whether the username or password was incorrect like this is a definite security no-no. This is oooold security-fu. Security-by-obscurity? In a sense. But when you give somebody a definite part of the key, it just makes the rest that much easier. Any security knowledge base out there will tell you not to give this type of info away. Look back over the old changelogs for SSH sometime.
#5
@
17 years ago
The loss of usability has no benefit if this information can be attained trivially other ways.
Invalid -> Incorrect