[wp-hackers] Maybe a secure-hole

Viper007Bond viper at viper007bond.com
Thu Oct 9 12:22:20 GMT 2008


This has been addressed many, many times before. Security through obscurity
isn't real security, plus there are plenty of other ways to get usernames.

Plus every single blog has "admin" so there's no real need to bother with
other usernames.

On Thu, Oct 9, 2008 at 3:57 AM, Frank Bueltge <frank at bueltge.de> wrote:

> Yes, this is easy.
> My users like this link, in many Blogs and Themes is this essential.
>
> I think this is a problem in the function the_author_posts_link()
> Maybe use md5 or name+surname etc for the url.
>
>
> On Thu, Oct 9, 2008 at 12:40 PM, scribu <scribu at gmail.com> wrote:
> > You can easily remove that link from your theme files (single.php et
> > co). No need to change anything in WordPress itself.
> >
> > On Thu, Oct 9, 2008 at 11:25 AM, Frank Bueltge <frank at bueltge.de> wrote:
> >> When you include a link to the authro and activate the permalink, then
> >> you became a link to the login-name of the author.
> >> This is a secure-hole. Hackers use this login-namer and searc h for
> >> the password.
> >>
> >> examble:
> >> <a href="http://localhost/wpbeta/author/admin/" title="Posts by Frank
> >> Bueltge">Frank Bueltge</a>
> >>
> >> Link to:
> >> http://localhost/wpbeta/author/admin/
> >>
> >> admin is the login-name and the author had set the name in the Blog on
> >> your namen and surename.
> >>
> >> maybe it is possible to cahnge this in 2.7?
> >>
> >> * Sorry for my bad english, i hope your understand me.
> >> Best wishes
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> >
> >
> > --
> > http://scribu.net
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/


More information about the wp-hackers mailing list