Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -----------------------------------------------------------------------
- Talsoft S.R.L. Security Advisory
- WordPress User IDs and User Names Disclosure
- -----------------------------------------------------------------------
- I. Advisory information
- Title: WordPress User IDs and User Names Disclosure
- Advisory Id: TALSOFT-2011-0526
- Advisory URL: http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure
- Date published: 2011-05-26
- Vendors contacted: WordPress
- Author: Verónica Valeros
- II. Vulnerability information
- Class: Insecure Direct Object References (CWE-715)
- Impact: Low
- Remotely Exploitable: Yes
- Locally Exploitable: Yes
- III. Overview
- WordPress platforms use a parameter called ‘author’. This parameter
- accepts integer values and represents the ‘User ID’ of users in the
- web site. For example: http://www.example.com/?author=1
- The problems found are:
- 1. User ID values are generated consecutively.
- 2. When a valid User ID is found, WordPress redirects to a web page
- with the name of the author.
- These problems trigger the following attack vectors:
- 1. The query response discloses whether the User ID is enabled.
- 2. The query response leaks (by redirection) the User Name
- corresponding with that User ID. (See update for version 3.1.3)
- User IDs can be disabled, leaving holes within the consecutive
- numbers. Therefore, when an invalid User ID is sent, no redirection is
- done and no information is disclosed.
- Also, the attack can be automated, sending multiple queries to extract
- valid User Names and User IDs from the vulnerable web sites.
- Update:
- In version 3.1.3 the redirection explained in the second attack vector
- is not done, but is still possible to find the User Name in the source
- code. Therefore, this version is still vulnerable.
- IV. Affected versions
- This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2. Other
- versions were not tested and may be vulnerable.
- V. Non affected versions
- Unknown.
- VI. Proof of concept
- A Proof of Concept (PoC) is available at: wp-userdata-disclosure-PoC.py.tar.gz
- VII. Solution
- WordPress version 3.1.3 fixes the redirection problem, but user names
- are still been disclosed in the HTML code. No solution was provided
- for this last problem.
- VIII. Disclosure timeline
- + 2011-03-14:
- - Vulnerability was identified.
- + 2011-05-11:
- - WordPress security team was contacted.
- + 2011-05-12:
- - WordPress confirmed the vulnerability.
- + 2011-05-25:
- - WordPress released version 3.1.3, which included a fix for
- canonical redirection problem but did not included a fix for the
- source code problem.
- - WordPress security team was informed that after the release of
- version 3.1.3 the vulnerability was still exploitable.
- - WordPress team agreed to release the security advisory.
- + 2011-05-26:
- - The advisory was released.
- IX. Credits
- This vulnerability was discovered and reported by Verónica Valeros
- (veronicavaleros at talsoft.com.ar)
- X. Disclaimer
- The information provided in this document is for information purposes
- only. Talsoft S.R.L. accepts no responsibility for any damage caused
- by the use or misuse of this information. The content of this advisory
- may be distributed freely, provided that no fee is charged for this
- distribution and proper credit is given.
- XI. About Talsoft S.R.L.
- Talsoft S.R.L is a growing company with the mission to provide
- solutions in the following areas:
- + Information Security
- + Technology administration
- + Open source solutions
- + Trainings and courses
- Talsoft S.R.L. is also involved in many information security research projects.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement