[wp-trac] [WordPress Trac] #5388: Author Permalink
(myblog.com/author/username/) does not help security
WordPress Trac
wp-trac at lists.automattic.com
Mon Nov 26 02:09:14 GMT 2007
#5388: Author Permalink (myblog.com/author/username/) does not help security
-------------------------+--------------------------------------------------
Reporter: enposte | Owner: anonymous
Type: enhancement | Status: new
Priority: high | Milestone: 2.3.2
Component: Security | Version: 2.3.1
Severity: critical | Keywords:
-------------------------+--------------------------------------------------
When pretty permalinks are enabled any hacker can easily find out the
usernames used on the blog.
All they have to do is type:
'''myblog.com/?author=(some_random_id)'''
and if there is an author with that id, the URL will redirect to:
'''myblog.com/author/matching_username/'''
I think it would be more secure if the URL redirected to:
'''myblog.com/author/author_id/'''
--
Ticket URL: <http://trac.wordpress.org/ticket/5388>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list