[wp-trac] Re: [WordPress Trac] #5301: WordPress can "leak" if a
username is valid
WordPress Trac
wp-trac at lists.automattic.com
Thu Nov 1 14:04:04 GMT 2007
#5301: WordPress can "leak" if a username is valid
---------------------------------+------------------------------------------
Reporter: Viper007Bond | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.5
Component: Administration | Version: 2.3.1
Severity: normal | Resolution:
Keywords: has-patch, security |
---------------------------------+------------------------------------------
Changes (by dougal):
* keywords: has-patch => has-patch, security
Comment:
Thanks for putting this ticket in. I was going to do it myself, but just
hadn't found the time yet.
Disclosing whether the username or password was incorrect like this is a
definite security no-no. This is oooold security-fu. Security-by-
obscurity? In a sense. But when you give somebody a definite part of the
key, it just makes the rest that much easier. Any security knowledge base
out there will tell you not to give this type of info away. Look back over
the old changelogs for SSH sometime.
--
Ticket URL: <http://trac.wordpress.org/ticket/5301#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list