[wp-trac] [WordPress Trac] #4290: Username information leak on
wp-login.php
WordPress Trac
wp-trac at lists.automattic.com
Fri May 18 21:36:27 GMT 2007
#4290: Username information leak on wp-login.php
----------------------------+-----------------------------------------------
Reporter: jimp79 | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.3
Component: Administration | Version:
Severity: major | Keywords: security
----------------------------+-----------------------------------------------
The wp-login.php leaks valid usernames due to the fact that it gives
different error messages if the entered user exists or not.
If the username exists the error message is: ERROR: Incorrect password.
If the username does not exist then the error message is: ERROR: Invalid
username.
This vulnerability could be leveraged by an attacker to assist in
performing a brute force or dictionary attack against th login form.
--
Ticket URL: <http://trac.wordpress.org/ticket/4290>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list