Recent
Patching WordPress Username Disclosure
On May 26th Veronica Valero of Talsoft S.R.L. posted a security advisory on the Full Disclosure mailing list outlining a username disclosure vulnerability via a Direct Object Reference.
This is a problem in itself, however, what was more interesting to me was Zerial’s reply to the advisory;
“Also you can “enumerate” wordpress users using the wp-login.php. Whenyou enter a non-existent user wordpress returns “Invalid username” andwhen you enter a valid user with any random/dummie password, wordpressreturns “Invalid Password”. Now you can use brute-force to enumerate allvalid users using, for example, a name&username dictionary.”
As we can see from a simple test on https://wordpress.org/wp-login.php, what he was saying was true.
Existent user ‘admin’:
Non-Existent user ‘nonexistant’:
As we can see from the two screenshots above, there is a clear difference in the error message that is displayed by WordPress when a user exists or does not. According to OSVDB 55713 this vulnerability was reported to WordPress by Core Security Technologies in June 2009. At the time of writing, the latest version of WordPress is 3.1.3 and is still vulnerable to this vulnerability.
Here is how to patch the vulnerability highlighted by ‘Zerial’ yourself:
wp-includes/user.php:91
Change:
return new WP_Error('invalid_username', sprintf(__('ERROR: Invalid username. <a href="%s" title="Password Lost and Found">Lost your password< /a>?'), site_url('wp-login.php?action=lostpassword', 'login')));</a>
To:
return new WP_Error( 'invalid_username', sprintf( __( 'ERROR: Invalid username and/or password.')));
wp-includes/user.php:111
Change:
return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: The password you entered for the username <strong>%1$s</strong> is incorrect. <a href="%2$s" title="Password Lost and Found">Lost your password</a>?' )
To:
return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: Invalid username and/or password.')));
Let’s hope WordPress patch this and the one Veronica disclosed sooner rather than later.
UPDATE
After some further searching it seems a bug report was issued in 2007 on WordPress’s Trac. http://core.trac.wordpress.org/ticket/3708
“There are other ways to verify user names. You can reverse engineer them from the author archive URLs (e.g. http://example.com/author/mark/). I believe the consensus last time this came up was that it was trivial to figure out the user names anyway, and that it is much more user-friendly to tell them when they messed up their username, and not the password. Also, “admin” is created on install, and can’t be changed using WordPress itself, so there’s no hiding that.”
5 Responses to “Patching WordPress Username Disclosure”
Patch WordPress UserName Disclosure
[...] This vulnerability was already report in the OSVDB 55713 in 2009 but was still active ( source : EthicalHack3r) [...]
KA
Good work…
Look here, published 09/05/2011
http://tinyurl.com/4236aot
and in paketstorm on april
http://tinyurl.com/3nkqcly
The bug is 4 years old.
Regards
hailsizedgolfballs
or you can use login lockdown http://www.bad-neighborhood.com/login-lockdown.html
cliffsull
Just a note Ryan , amprobably missing something here ? – but when I applied the above patch on the site you tested earlier at ‘Old Sarum’ I received an error back –
Parse error: syntax error, unexpected ‘:’ in /home/oldsarum/public_html/wp-includes/user.php on line 91
However line 91 is exactly as shown above in your post ?
return new WP_Error( ‘invalid_username’, sprintf( __( ‘ERROR: Invalid username and/or password.’)));
Is this a typo of some sort ?
You can see it yourself on my affected site
I will leave it as is (for now) so you can check it out , and will put original user.php back in the morning – can you respond via tweet or leave a comment here and I will check it when I get teh notification.
It is , as I said probably a typo on my part – but I can’t see where?
Cheers
priya
If “ERROR: Invalid username. Lost your password?” happens on valid username and password what should I do, I am facing this in one of my wordpress blog, can’t access admin panel.