[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure
- From: Veronica <vero.valeros@xxxxxxxxx>
- Date: Thu, 26 May 2011 11:16:07 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=eXsMI8EqpgloRLEF3Ztb14F8cMRf6J9lMHihwEpcp2k=; b=cQoIMOAh89wCo60xHfj3XJuso4PYlHcHruHb3w7gMaWIgKmVtoErcvSQmTR44up+A7 iXpwlcoHCQlkfDIKW9dL8gvo5RSdweZ6U6o6j4Brt6NIa3B9lxlLkQ1taVyK7iSLJuRh 01JW99vqCbnOYXXHGCqiXlm2lpyCF0oujm034=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=pIBqnWSuTJpZ0DOP8CNPskm+2/xH2N+xa4w97uz9tCb7Yp87BxIFWkxrXLZWKbt2sG bTfo7ZlFHxg2DIP4FKaOxqdDyvKIFdRT8nCUHFymOh0A/Dv+weptvY3O9glrlHBZiaoS rkMLvX7F1L+w+XAKoqtiSqgoWHCOVTW+hNOU4=
- List-help: <mailto:firstname.lastname@example.org>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:email@example.com>
- List-subscribe: <mailto:firstname.lastname@example.org>
- List-unsubscribe: <mailto:email@example.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Talsoft S.R.L. Security Advisory
WordPress User IDs and User Names Disclosure
I. Advisory information
Title: WordPress User IDs and User Names Disclosure
Advisory Id: TALSOFT-2011-0526
Advisory URL: http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure
Date published: 2011-05-26
Vendors contacted: WordPress
Author: VerÃnica Valeros
II. Vulnerability information
Class: Insecure Direct Object References (CWE-715)
Remotely Exploitable: Yes
Locally Exploitable: Yes
WordPress platforms use a parameter called âauthorâ. This parameter
accepts integer values and represents the âUser IDâ of users in the
web site. For example: http://www.example.com/?author=1
The problems found are:
1. User ID values are generated consecutively.
2. When a valid User ID is found, WordPress redirects to a web page
with the name of the author.
These problems trigger the following attack vectors:
1. The query response discloses whether the User ID is enabled.
2. The query response leaks (by redirection) the User Name
corresponding with that User ID. (See update for version 3.1.3)
User IDs can be disabled, leaving holes within the consecutive
numbers. Therefore, when an invalid User ID is sent, no redirection is
done and no information is disclosed.
Also, the attack can be automated, sending multiple queries to extract
valid User Names and User IDs from the vulnerable web sites.
In version 3.1.3 the redirection explained in the second attack vector
is not done, but is still possible to find the User Name in the source
code. Therefore, this version is still vulnerable.
IV. Affected versions
This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2. Other
versions were not tested and may be vulnerable.
V. Non affected versions
VI. Proof of concept
A Proof of Concept (PoC) is available at: wp-userdata-disclosure-PoC.py.tar.gz
WordPress version 3.1.3 fixes the redirection problem, but user names
are still been disclosed in the HTML code. No solution was provided
for this last problem.
VIII. Disclosure timeline
Â Â Â - Vulnerability was identified.
Â Â Â - WordPress security team was contacted.
Â Â Â - WordPress confirmed the vulnerability.
Â Â Â - WordPress released version 3.1.3, which included a fix for
canonical redirection problem but did not included a fix for the
source code problem.
Â Â Â - WordPress security team was informed that after the release of
version 3.1.3 the vulnerability was still exploitable.
Â Â Â - WordPress team agreed to release the security advisory.
Â Â Â - The advisory was released.
This vulnerability was discovered and reported by VerÃnica Valeros
(veronicavaleros at talsoft.com.ar)
The information provided in this document is for information purposes
only. Talsoft S.R.L. accepts no responsibility for any damage caused
by the use or misuse of this information. The content of this advisory
may be distributed freely, provided that no fee is charged for this
distribution and proper credit is given.
XI. About Talsoft S.R.L.
Talsoft S.R.L is a growing company with the mission to provide
solutions in the following areas:
+ Information Security
+ Technology administration
+ Open source solutions
+ Trainings and courses
Talsoft S.R.L. is also involved in many information security research projects.
Penetration Tester at TalSoft S.R.L.