Make WordPress Core

Opened 17 years ago

Closed 17 years ago

Last modified 4 years ago

#5301 closed defect (bug) (wontfix)

WordPress can "leak" if a username is valid

Reported by: viper007bond's profile Viper007Bond Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.3.1
Component: Administration Keywords: has-patch, security
Focuses: Cc:

Description

When you enter a valid username but an invalid password, WordPress lets you know the username is valid by complaining that only the password is invalid.

Attached patch combines the two error messages so that if either the username or the password is wrong, it says the same error message which gives less away.

Makes it harder for a hacker to gain access to a blog.

Attachments (2)

5301.patch (1007 bytes) - added by Viper007Bond 17 years ago.
5301.2.patch (1011 bytes) - added by Viper007Bond 17 years ago.
Invalid -> Incorrect

Download all attachments as: .zip

Change History (10)

@Viper007Bond
17 years ago

@Viper007Bond
17 years ago

Invalid -> Incorrect

#2 @foolswisdom
17 years ago

  • Milestone changed from 2.3.2 to 2.5
  • Version changed from 2.3 to 2.3.1

False security? #3708 , #4290 .

#3 @Viper007Bond
17 years ago

Son of a... I knew I shoulda searched. That's what I get for being lazy.

As mentioned in #3708, a username can still be found via alternate methods in some cases.

But yeah, it doesn't stop things in the end, but why provide a username validator when we don't have to? This patch obviously won't stop a determined hacker, but just may make their life slightly harder in some cases.

#4 @dougal
17 years ago

  • Keywords security added

Thanks for putting this ticket in. I was going to do it myself, but just hadn't found the time yet.

Disclosing whether the username or password was incorrect like this is a definite security no-no. This is oooold security-fu. Security-by-obscurity? In a sense. But when you give somebody a definite part of the key, it just makes the rest that much easier. Any security knowledge base out there will tell you not to give this type of info away. Look back over the old changelogs for SSH sometime.

#5 @foolswisdom
17 years ago

The loss of usability has no benefit if this information can be attained trivially other ways.

#6 @hempsworth
17 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

I'm going to close this following the discussion on wp-hackers, and the reasons given in the previous tickets which followed the same theme.

#3708
#4290

#7 @lloydbudd
17 years ago

  • Milestone 2.6 deleted

This ticket was mentioned in Slack in #forums by kestutisit. View the logs.


4 years ago

Note: See TracTickets for help on using tickets.