Hi Alex,
I think you may have misread my post. I said I am pretty sure the username
changing is a feature of the core installation. I don't run any Wordpress
plugins unless thoroughly security audited and most of the time I am just
looking for a quick blog so I can publish something I want to say,
You can send patches, the core devs decide whether or not to accept them.
Sven's original email linked to a bug which had a patch that wasn't
accepted - https://core.trac.wordpress.org/ticket/1129
On Mon, Jul 8, 2013 at 11:08 AM, Alex wrote:
> **
>
> I am no HTML/JS expert, but WP is open sour
I am no HTML/JS expert, but WP is open source, so why not just post a
patch instead of building plugins and/or scripts to abuse it..
https://wordpress.org/download/source/ [7]
Am 2013-07-05 15:30, schrieb Dan Ballance:
> I don't *now* know if they see it as a security feature, but when you
"xxx" wrote:
> (self promotion not intended, highlighting other issues in WordPress)
>
> Check out WPScan for other such issues with WordPress that have existed
> for a long time but never patched. WordPress are aware of these issues but
> for whatever reason decided not to patch them.
>
> http
2013/7/5 adam
>
> Why wouldn't they simply offer it as a feature in future versions, even if
> they left it disabled? It's clearly doing harm by not being an option, and
> would do what exactly for it to be an option? Waste 3 minutes of a
> developer's time?
>
CWE-204 for WordPress and Drupal?
I don't *now* know if they see it as a security feature, but when you do
the install you are asked to give the admin account a username. I always
thought this was a nice additional security feature to make brute-forcing
the site more challenging. It seems I was wrong!
This is definitely in core BT
There have been many heated debates within the community about this
issue. Unfortunately, I think a different outcome is unlikely.
WordPress's position is (I think) that usernames aren't secret, and that
therefore, username enumeration is a non-problem. I think this is
extremely wrong, but it
That's a very valid point, Dan. I don't use WP personally, but the feature
you're talking about, is that a core feature? Or is it offered by some
[potentially 3rd party] addon? If it's core, and this is really how they're
responding, that's mind boggling.
Why wouldn't they simply offer it as a fea
It seems crazy to me that WordPress is sensible enough to allow you to
change the default admin username to something other than "admin" - but
then so simply exposes that information to anyone that fancies scanning. I
ran wpscan last night across a couple of my installs and sure enough - my
renamed
>
>
> The corresponding trac entry for wordpress is closed as
> "wontfix":
> https://core.trac.wordpress.org/ticket/1129
>
> Why?
>
>
some people consider this as a security vulnerability but not everybody. eg
drupal
https://drupal.org/node/1004778
In Drupal, is the same problem. Using ctools, yo
There have been many heated debates within the community about this
issue. Unfortunately, I think a different outcome is unlikely.
WordPress's position is (I think) that usernames aren't secret, and that
therefore, username enumeration is a non-problem. I think this is
extremely wrong, but it
Can't you open a new bt about this issue?
Regards,
Em 04/07/2013 10:16, "Sven Kieske" escreveu:
> Hi,
>
> the mentioned User account Enumeration Weakness
> stated in Advisory https://secunia.com/advisories/23621/
> still exists in the actual version 3.5.2 .
>
> The corresponding trac entry for w
(self promotion not intended, highlighting other issues in WordPress)
Check out WPScan for other such issues with WordPress that have existed for
a long time but never patched. WordPress are aware of these issues but for
whatever reason decided not to patch them.
http://wpscan.org/
On Thu, Jul
Hi,
the mentioned User account Enumeration Weakness
stated in Advisory https://secunia.com/advisories/23621/
still exists in the actual version 3.5.2 .
The corresponding trac entry for wordpress is closed as
"wontfix":
https://core.trac.wordpress.org/ticket/1129
Why?
Maybe, because the trac bug
14 matches
Mail list logo