> > > The corresponding trac entry for wordpress is closed as > "wontfix": > https://core.trac.wordpress.org/ticket/1129 > > Why? > > some people consider this as a security vulnerability but not everybody. eg drupal
https://drupal.org/node/1004778 In Drupal, is the same problem. Using ctools, you can get username finding (by [Username]) https://drupal.org/?q=ctools/autocomplete/node/1 (by Amazon) PoC: ?q=ctools/autocomplete/node/[ID] In my opinion, this should be fixed. This idea, may be very helpful to create botnet based on brutal force CMS. Maksymilian Arciemowicz http://cxsecurity.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
