{"id":1352,"date":"2011-05-26T00:57:53","date_gmt":"2011-05-26T03:57:53","guid":{"rendered":"http:\/\/www.talsoft.com.ar\/?page_id=1352"},"modified":"2012-03-17T12:36:28","modified_gmt":"2012-03-17T15:36:28","slug":"wordpress-user-id-and-user-name-disclosure","status":"publish","type":"page","link":"https:\/\/www.talsoft-security.com\/site\/research\/security-advisories\/wordpress-user-id-and-user-name-disclosure\/","title":{"rendered":"WordPress User ID and User Name Disclosure"},"content":{"rendered":"

I. Advisory information<\/h3>\n

Title: WordPress User IDs and User Names Disclosure
\nAdvisory Id: TALSOFT-2011-0526
\nAdvisory URL: http:\/\/www.talsoft.com.ar\/index.php\/research\/security-advisories\/wordpress-user-id-and-user-name-disclosure<\/a>
\nDate published: 2011-05-26
\nVendors contacted: WordPress
\nAuthor: Ver\u00f3nica Valeros<\/p>\n

II. Vulnerability information<\/h3>\n

Class: Insecure Direct Object References (CWE-715)
\nImpact: Low
\nRemotely Exploitable: Yes
\nLocally Exploitable: Yes<\/p>\n

III. Overview<\/h3>\n

WordPress platforms use a parameter called ‘author’. This parameter accepts integer values and represents the \u2018User ID\u2019 of users in the web site. For example: http:\/\/www.example.com\/?author=1
\nThe problems found are:<\/p>\n

    \n
  1. User ID values are generated consecutively.<\/li>\n
  2. When a valid User ID is found, WordPress redirects to a web page with the name of the author.<\/li>\n<\/ol>\n

    These problems trigger the following attack vectors:<\/p>\n

      \n
    1. The query response discloses whether the User ID is enabled.<\/li>\n
    2. The query response leaks (by redirection) the User Name corresponding with that User ID. (See update for version 3.1.3)<\/li>\n<\/ol>\n

      User IDs can be disabled, leaving holes within the consecutive numbers. Therefore, when an invalid User ID is sent, no redirection is done and no information is disclosed.<\/p>\n

      Also, the attack can be automated, sending multiple queries to extract valid User Names and User IDs from the vulnerable web sites.<\/p>\n

      Update:<\/em><\/p>\n

      In version 3.1.3 the redirection explained in the second attack vector is not done, but is still possible to find the User Name in the source code. Therefore, this version is still vulnerable.<\/p>\n

      IV. Affected versions<\/h3>\n

      This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2. Other versions were not tested and may be vulnerable.<\/p>\n

      V. Non affected versions<\/h3>\n

      Unknown.<\/p>\n

      VI. Proof of concept<\/h3>\n

      A Proof of Concept (PoC) is available at: wp-userdata-disclosure-PoC.py.tar.gz<\/a><\/p>\n

      VII. Solution<\/h3>\n

      WordPress version 3.1.3 fixes the redirection problem, but user names are still been disclosed in the HTML code. No solution was provided for this last problem.<\/p>\n

      VIII. Disclosure timeline<\/h3>\n