[wp-trac] [WordPress Trac] #45318: Security problem: Login Oracle
WordPress Trac
noreply at wordpress.org
Fri Nov 9 12:00:45 UTC 2018
#45318: Security problem: Login Oracle
--------------------------+----------------------------------------
Reporter: d0rkpress | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.9.8
Severity: major | Keywords: Authentication needs-patch
Focuses: |
--------------------------+----------------------------------------
Hello,
when logging in to WordPress one can tell from the error message whether
the user account exists or not. It's either "ERROR: The password you
entered for the username <USERNAME> is incorrect" or "ERROR: Invalid
username".
This is basically missing the 101 security requirement of a login, see
https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Incorrect_Response_Examples.
Yes, I read that: https://make.wordpress.org/core/handbook/testing
/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-
user-ids-not-a-security-issue . But it in 2018 it is time to change this.
You need just to look into any logfile of any webserver you will find lots
of probes for the WordPress login.
The threat is that it is minimizing for an attacker considerably the
effort by a 2 x square root factor. Let's say in 1000 user accounts I have
one hit on a web site, for a password guess I have another 1 in 1000 hits.
Without a login oracle I would need 1000^2 tries to get a hold of a login.
With this oracle I need 1000 + 10000 tries. One million requests vs. 2000
makes a huge difference.
Please
Thanks, Dirk (OWASP guy, Pentester, Consultant, IT Security >20yrs
professional experience)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45318>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list