It seems crazy to me that WordPress is sensible enough to allow you to change the default admin username to something other than "admin" - but then so simply exposes that information to anyone that fancies scanning. I ran wpscan last night across a couple of my installs and sure enough - my renamed admin accounts show straight up. What a waste of time! :-/
On 5 July 2013 10:16, Maksymilian <[email protected]> wrote: > >> The corresponding trac entry for wordpress is closed as >> "wontfix": >> https://core.trac.wordpress.org/ticket/1129 >> >> Why? >> >> > some people consider this as a security vulnerability but not everybody. > eg drupal > > https://drupal.org/node/1004778 > > In Drupal, is the same problem. Using ctools, you can get username finding > > (by [Username]) > > https://drupal.org/?q=ctools/autocomplete/node/1 > > (by Amazon) > > PoC: > ?q=ctools/autocomplete/node/[ID] > > In my opinion, this should be fixed. This idea, may be very helpful to > create botnet based on brutal force CMS. > > > Maksymilian Arciemowicz > http://cxsecurity.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
