-----------------------------------------------------------------------Talsoft

1. -----------------------------------------------------------------------
2. Talsoft S.R.L. Security Advisory
3. WordPress User IDs and User Names Disclosure
4. -----------------------------------------------------------------------
5.  
6. I. Advisory information
7. Title: WordPress User IDs and User Names Disclosure
8. Advisory Id: TALSOFT-2011-0526
9. Advisory URL: http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure
10. Date published: 2011-05-26
11. Vendors contacted: WordPress
12. Author: Verónica Valeros
13.  
14. II. Vulnerability information
15. Class: Insecure Direct Object References (CWE-715)
16. Impact: Low
17. Remotely Exploitable: Yes
18. Locally Exploitable: Yes
19.  
20. III. Overview
21. WordPress platforms use a parameter called ‘author’. This parameter
22. accepts integer values and represents the ‘User ID’ of users in the
23. web site. For example: http://www.example.com/?author=1
24. The problems found are:
25. 1. User ID values are generated consecutively.
26. 2. When a valid User ID is found, WordPress redirects to a web page
27. with the name of the author.
28.  
29. These problems trigger the following attack vectors:
30. 1. The query response discloses whether the User ID is enabled.
31. 2. The query response leaks (by redirection) the User Name
32. corresponding with that User ID. (See update for version 3.1.3)
33.  
34. User IDs can be disabled, leaving holes within the consecutive
35. numbers. Therefore, when an invalid User ID is sent, no redirection is
36. done and no information is disclosed.
37.  
38. Also, the attack can be automated, sending multiple queries to extract
39. valid User Names and User IDs from the vulnerable web sites.
40.  
41.  
42. Update:
43. In version 3.1.3 the redirection explained in the second attack vector
44. is not done, but is still possible to find the User Name in the source
45. code. Therefore, this version is still vulnerable.
46.  
47. IV. Affected versions
48. This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2. Other
49. versions were not tested and may be vulnerable.
50.  
51. V. Non affected versions
52. Unknown.
53.  
54. VI. Proof of concept
55. A Proof of Concept (PoC) is available at: wp-userdata-disclosure-PoC.py.tar.gz
56.  
57. VII. Solution
58. WordPress version 3.1.3 fixes the redirection problem, but user names
59. are still been disclosed in the HTML code. No solution was provided
60. for this last problem.
61.  
62. VIII. Disclosure timeline
63. + 2011-03-14:
64. - Vulnerability was identified.
65. + 2011-05-11:
66. - WordPress security team was contacted.
67. + 2011-05-12:
68. - WordPress confirmed the vulnerability.
69. + 2011-05-25:
70. - WordPress released version 3.1.3, which included a fix for
71. canonical redirection problem but did not included a fix for the
72. source code problem.
73. - WordPress security team was informed that after the release of
74. version 3.1.3 the vulnerability was still exploitable.
75. - WordPress team agreed to release the security advisory.
76. + 2011-05-26:
77. - The advisory was released.
78.  
79. IX. Credits
80. This vulnerability was discovered and reported by Verónica Valeros
81. (veronicavaleros at talsoft.com.ar)
82.  
83. X. Disclaimer
84. The information provided in this document is for information purposes
85. only. Talsoft S.R.L. accepts no responsibility for any damage caused
86. by the use or misuse of this information. The content of this advisory
87. may be distributed freely, provided that no fee is charged for this
88. distribution and proper credit is given.
89.  
90. XI. About Talsoft S.R.L.
91. Talsoft S.R.L is a growing company with the mission to provide
92. solutions in the following areas:
93. + Information Security
94. + Technology administration
95. + Open source solutions
96. + Trainings and courses
97. Talsoft S.R.L. is also involved in many information security research projects.