[wp-trac] [WordPress Trac] #33056: Identification user login with scan tools

WordPress Trac noreply at wordpress.org
Tue Jul 21 13:00:26 UTC 2015


#33056: Identification user login with scan tools
--------------------------+----------------------
 Reporter:  aszone        |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:  trunk
 Severity:  normal        |  Resolution:  invalid
 Keywords:                |     Focuses:
--------------------------+----------------------

Comment (by aszone):

 Pretty good!
 Thank you for the answer.



 But with the completion of studies, easily available user login provides a
 supplement for future attempt to brute force in the administrative
 environment.

 About patch, do not have duplication because the user "sanitize_user"
 checks and creates a variation adding -1 or -2 if you have repeated user.




 Replying to [comment:1 chriscct7]:
 > In order to post this ticket, you first had to check a box saying you
 weren't reporting a security vulnerability. You then had to re-affirm this
 before you were able to submit this form. Next time, please follow the
 instructions to email potential security issues to security@{the WordPress
 url} instead of posting here (this ensures security issues don't become
 public before we can fix them).
 >
 > This doesn't appear to be a valid security concern.
 >
 > Usernames are not considered sensitive information. WordPress core even
 uses them to generate author page urls.
 >
 > For more information see the following Tavern article or one of the
 dozens of related Trac tickets on this subject (I've included a couple
 below; you'll find many more by searching Trac).
 >
 > http://wptavern.com/why-showing-the-wordpress-username-is-not-a
 -security-risk
 > #3708
 > #4290
 > #5301
 > #5388
 > #14644
 >
 > Even if there was a security issue with this, which to re-iterate there
 is not, the patch provided couldn't be used as pointed out indirectly in
 #29873, the username and user_nicename are guaranteed to be unique. The
 display name is not guaranteed to be unique (there can be multiple John
 Smiths on a single site, for example). Therefore, the patch would cause
 issues on sites where there are multiple authors with the same display
 name, thus causing them to share the same author url.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33056#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list