I. Advisory information
Title: WordPress User IDs and User Names Disclosure
Advisory Id: TALSOFT-2011-0526
Advisory URL: http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure
Date published: 2011-05-26
Vendors contacted: WordPress
Author: Veronica Valeros
II. Vulnerability information
Class: Insecure Direct Object References (CWE-715)
Impact: Low
Remotely Exploitable: Yes
Locally Exploitable: Yes
III. Overview
WordPress platforms use a parameter called ‘author’. This parameter
accepts integer values and represents the ‘User ID’ of users in the
web site. For example: http://www.example.com/?author=1
The problems found are:
These problems trigger the following attack vectors:
User IDs can be disabled, leaving holes within the consecutive
numbers. Therefore, when an invalid User ID is sent, no redirection is
done and no information is disclosed.
Also, the attack can be automated, sending multiple queries to extract
valid User Names and User IDs from the vulnerable web sites.
Update:
In version 3.1.3 the redirection explained in the second attack vector
is not done, but is still possible to find the User Name in the source
code. Therefore, this version is still vulnerable.
IV. Affected versions
This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2. Other
versions were not tested and may be vulnerable.
V. Non affected versions
Unknown.
VI. Proof of concept
A Proof of Concept (PoC) is available at: wp-userdata-disclosure-PoC.py.targz
VII. Solution
WordPress version 3.1.3 fixes the redirection problem, but user names
are still been disclosed in the HTML code. No solution was provided
for this last problem.
VIII. Disclosure timeline
IX. Credits
This vulnerability was discovered and reported by Veronica Valeros
(veronicavaleros at talsoft.com.ar)
X. Disclaimer
The information provided in this document is for information purposes
only. Talsoft S.R.L. accepts no responsibility for any damage caused
by the use or misuse of this information. The content of this advisory
may be distributed freely, provided that no fee is charged for this
distribution and proper credit is given.
XI. About Talsoft S.R.L.
Talsoft S.R.L is a growing company with the mission to provide
solutions in the following areas:
–
Penetration Tester at TalSoft S.R.L.
Email: [email protected]
www.talsoft.com.ar