[wp-trac] [WordPress Trac] #33056: Identification user login with scan tools
WordPress Trac
noreply at wordpress.org
Tue Jul 21 03:29:00 UTC 2015
#33056: Identification user login with scan tools
--------------------------+----------------------
Reporter: aszone | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: trunk
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by chriscct7):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
In order to post this ticket, you first had to check a box saying you
weren't reporting a security vulnerability. You then had to re-affirm this
before you were able to submit this form. Next time, please follow the
instructions to email potential security issues to security at wordpress.org.
This doesn't appear to be a valid security concern. Usernames are not
considered sensitive information. WordPress core even uses them to
generate author page urls.
For more information see the following Tavern article or one of the dozens
of related Trac tickets on this subject (a sample of which is below).
http://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-
risk
#3708
#4290
#5301
#5388
#14644
Even if there was a security issue with this, which to re-iterate there is
not, the patch provided couldn't be used as pointed out indirectly in
#29873, the username and user_nicename are guaranteed to be unique. The
display name is not guaranteed to be unique (there can be multiple John
Smiths on a single site, for example). Therefore, the patch would cause
issues on sites where there are multiple authors with the same display
name, thus causing them to share the same author url.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33056#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list