Hi Alex, I think you may have misread my post. I said I am pretty sure the username changing is a feature of the core installation. I don't run any Wordpress plugins unless thoroughly security audited and most of the time I am just looking for a quick blog so I can publish something I want to say, so I just tend to run the core site and live with its limitations.
On 8 July 2013 10:08, Alex <[email protected]> wrote: > ** > > I am no HTML/JS expert, but WP is open source, so why not just post a > patch instead of building plugins and/or scripts to abuse it.. > > > > https://wordpress.org/download/source/ > > > > > > Am 2013-07-05 15:30, schrieb Dan Ballance: > > I don't *now* know if they see it as a security feature, but when you do > the install you are asked to give the admin account a username. I always > thought this was a nice additional security feature to make brute-forcing > the site more challenging. It seems I was wrong! > > This is definitely in core BTW. I am slightly embarrassed to be admitting > on full disclosure that I run wordpress for a couple of quick personal > blogs (lol) - but I don't run any extensions and always keep up-to-date > with the latest release. The real trouble lies in the 3rd party extensions > (as with most applications). > > > On 5 July 2013 13:34, adam <[email protected]> wrote: > >> That's a very valid point, Dan. I don't use WP personally, but the >> feature you're talking about, is that a core feature? Or is it offered by >> some [potentially 3rd party] addon? If it's core, and this is really how >> they're responding, that's mind boggling. >> >> Why wouldn't they simply offer it as a feature in future versions, even >> if they left it disabled? It's clearly doing harm by not being an option, >> and would do what exactly for it to be an option? Waste 3 minutes of a >> developer's time? >> >> >> On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <[email protected]>wrote: >> >>> It seems crazy to me that WordPress is sensible enough to allow you to >>> change the default admin username to something other than "admin" - but >>> then so simply exposes that information to anyone that fancies scanning. I >>> ran wpscan last night across a couple of my installs and sure enough - my >>> renamed admin accounts show straight up. What a waste of time! :-/ >>> >>> >>> On 5 July 2013 10:16, Maksymilian <[email protected]> wrote: >>> >>>> >>>>> The corresponding trac entry for wordpress is closed as >>>>> "wontfix": >>>>> https://core.trac.wordpress.org/ticket/1129 >>>>> >>>>> Why? >>>>> >>>>> >>>> some people consider this as a security vulnerability but not >>>> everybody. eg drupal >>>> >>>> https://drupal.org/node/1004778 >>>> >>>> In Drupal, is the same problem. Using ctools, you can get username >>>> finding >>>> >>>> (by [Username]) >>>> >>>> https://drupal.org/?q=ctools/autocomplete/node/1 >>>> >>>> (by Amazon) >>>> >>>> PoC: >>>> ?q=ctools/autocomplete/node/[ID] >>>> >>>> In my opinion, this should be fixed. This idea, may be very helpful to >>>> create botnet based on brutal force CMS. >>>> >>>> >>>> Maksymilian Arciemowicz >>>> http://cxsecurity.com/ >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
