WordPress Stop User Enumeration 1.2.4 Bypass

2014-02-03T00:00:00
ID PACKETSTORM:125035
Type packetstorm
Reporter Andrew Horton (urbanadventurer)
Modified 2014-02-03T00:00:00

Description

                                        
                                            `Stop User Enumeration is a WordPress plugin that provides protection  
against an unauthenticated attacker gaining a list of all WordPress users.  
This information can aid an attacker in further attacks against the website  
including brute-force password guessing attacks. This can be performed  
using wp-scan.  
Homepage: http://wordpress.org/plugins/stop-user-enumeration/  
Version: 1.2.4 (latest)  
  
According to the full disclosure methodology I have publicly disclosed  
this at the same time as notifying the vendor.  
  
Advisory  
-------------  
An attacker can bypass the username enumeration protection by using POST  
requests. The protection currently only stops GET requests to enumerate  
users.  
  
By sending POST requests with the body of "author=1" and incrementing the  
number over successive requests, the entire set of WordPress users can be  
enumerated.  
  
The WordPress user information is disclosed in the HTML response body,  
unlike being disclosed in the redirect header, as with GET requests.  
  
1.  
  
POST / HTTP/1.1  
Host: www.wordpress.com  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 8  
  
author=1  
  
  
  
  
  
  
  
  
  
  
  
Andrew Horton (urbanadventurer)  
www.morningstarsecurity.com  
  
Visit my meta-aggregator of security news at  
http://www.morningstarsecurity.com/news/  
`