[wp-trac] [WordPress Trac] #13866: No dupe-checking on wp_users.display_name field causes serious venerability
WordPress Trac
wp-trac at lists.automattic.com
Sat Jun 12 14:43:12 UTC 2010
#13866: No dupe-checking on wp_users.display_name field causes serious venerability
-----------------------------+----------------------------------------------
Reporter: foxly | Owner:
Type: defect (bug) | Status: new
Priority: highest omg bbq | Milestone: Unassigned
Component: Users | Version: 2.9.2
Severity: critical | Keywords: security exploit, spoofing, display_name
-----------------------------+----------------------------------------------
This is a serious problem with how the wordpress core handles user data.
Wordpress has many different names for the same user. There's user_login,
which they can't change, user_nicename, which is essentially the same
thing, and display_name.
If display_name is unset, the user_login will be displayed. But if
display_name is set, the value in display_name will be displayed.
That means if a user sets their display_name to say "admin" on either the
back-end menu, or on the profile config in BuddyPress, their name will be
displayed as "admin" *everywhere* on the site.
This would be great for a phishing attack. And there are probably some
plugins that this could open security holes in as well.
Also: It's possible for more than one user to have the same
"display_name".
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13866>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list