[wp-trac] Re: [WordPress Trac] #3708: wp_login is too "friendly" --
Information disclosure
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 29 16:31:03 GMT 2007
#3708: wp_login is too "friendly" -- Information disclosure
--------------------------------------+-------------------------------------
Reporter: charleshooper | Owner: anonymous
Type: defect | Status: new
Priority: low | Milestone: 2.2
Component: Security | Version: 2.2
Severity: trivial | Resolution:
Keywords: security login has-patch |
--------------------------------------+-------------------------------------
Comment (by markjaquith):
There are other ways to verify user names. You can reverse engineer them
from the author archive URLs (e.g. http://example.com/author/mark/). I
believe the consensus last time this came up was that it was trivial to
figure out the user names anyway, and that it is much more user-friendly
to tell them when they messed up their username, and not the password.
Also, "admin" is created on install, and can't be changed using WordPress
itself, so there's no hiding that.
--
Ticket URL: <http://trac.wordpress.org/ticket/3708#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list