He also considers it a vulnerability to tell a new user that the username they've picked out has been taken by another user.
On Sun, Mar 25, 2012 at 3:09 PM, InterN0T Advisories < [email protected]> wrote: > Same type of vulnerabilities exist in 99,999...% of all web applications > including your website. Even if you can't bruteforce all the time, you can > adjust it with timing, and e.g., proxies, different user-agents, etc., and > then you have "Timed Bruteforce Attacks" which works on pretty much all > websites. Did you also mention this 5-10 years ago on your web site about > website security named websitesecurity.com.ua? > > Also, when will you stop posting about: bruteforce/full path > disclosure/locking actual users out/and other low priority > "vulnerabilities" that exist in most web apps, and completely move on to > vulnerabilities that matters? Seriously, anyone can find these > "vulnerabilities" and the reason why anyone hasn't reported / disclosed / > complained about them is because they exist in most apps and doesn't > compromise the security of the end-user nor the website. > > Will the next thing you disclose be about bruteforcing SSH because it by > default doesn't lock users out? It's been like this for +10 or +20 years. > > > What I find funny is that either you: > A) Say a web app has a vulnerability because it doesn't lock the > "offending" user out because of too many password tries, OR > B) Say a web app has a vulnerability because it does lock out the > offending user because of too many password tries. > > It's almost a contradiction and an endless evil circle. You can't have > both, ever. > > > No offense intended of course. > > > > Best regards, > MaXe > > On Sun, 25 Mar 2012 23:45:33 +0300, "MustLive" > <[email protected]> wrote: > > Hello list! > > > > There are many vulnerabilities in WordPress which exist from version > 2.0, > > or even from 1.x versions, and still not fixed. So I want to warn you > about > > one of such holes. It's Brute Force vulnerability via XML-RPC > functionality > > in WordPress. > > > > ------------------------- > > Affected products: > > ------------------------- > > > > Vulnerable are WordPress 3.3.1 and previous versions. > > > > ---------- > > Details: > > ---------- > > > > Brute Force (WASC-11): > > > > http://site/xmlrpc.php > > > > In this functionality there is no protection against Brute Force attack. > At > > sending of corresponding POST-requests it's possible to pick up > password. > > > > Note, that since WordPress 2.6 the XML-RPC functionality is turned off > by > > default. WP developers did it due to vulnerabilities (such as SQL > Injection > > and others), which were found in this functionality, i.e. not motivating > it > > as counteraction to Brute Force, but it worked also as protection > against > > Brute Force attack. > > > > So this issue doesn't concern those who uses WordPress since version 2.6 > > with default settings. But those who needs to use XML-RPC, those will > have > > Brute Force vulnerability, because the developers didn't make reliable > > protection against it. > > > > Earlier in 2008 and 2010 years I've already wrote about Brute Force > > vulnerabilities in WordPress (http://websecurity.com.ua/2007/ and > > http://websecurity.com.ua/4016/ SecurityVulns ID: 10677) and it's > another > > such vulnerability. Besides them there is also known BF attack not via > > login > > form, but with using of authorization cookie (when by setting different > > cookies it's possible to pick up password). > > > > ------------ > > Timeline: > > ------------ > > > > 2012.03.20 - disclosed at my site. > > > > I mentioned about this vulnerability at my site > > (http://websecurity.com.ua/5723/). > > > > Best wishes & regards, > > MustLive > > Administrator of Websecurity web site > > http://websecurity.com.ua > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
