WordPress.org

Ready to get started?Download WordPress

Forums

Stop User Enumeration
[resolved] Adding a slash to url bypasses protection (7 posts)

  1. Ov3rfly
    Member
    Posted 4 months ago #

    This is detected:

    http://www.example.com/?author=2

    This is not detected:

    http://www.example.com/?author=2/

    With the slash an "Author Archives: ..." not found page is shown, the author login can still be extracted from the html of the page:

    <body class="archive author author-myusername author-2">

    Sidenote: Seems that ?author=1 is not detected at all, even without slash, and admin username can be extracted from html like above.

    http://www.example.com/?author=1

    Edit: As a replacement for the whole plugin you could use something like this in your .htaccess file:

    RewriteCond %{REQUEST_URI} ^/$
    RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
    RewriteRule ^(.*)$ $1?author=99999 [L]

    It will internally redirect all author=XX requests to user 99999 which should not exist and so always the blog 404 page is returned.

    http://wordpress.org/plugins/stop-user-enumeration/

  2. llocally
    Member
    Plugin Author

    Posted 4 months ago #

    Thank you for pointing out that a training slash can bypass the check. This is because the check was only being applied when WordPress was redirecting, the . stops that.

    Never the less I have fixed the plugin (v 1.2.2) so it now detects author when a redirect fails.

    By the way that is the reason that author=1 fails on your system, as there is will be no author=1 on yours (perhaps the original user 1 was admin and now correctly been deleted), so this fix also deals with teh missing author issue.

    The reveal of your 'author' in the html is theme specific as far as I can see, as it doesn't occur in the default TwentyThirteen. I would be interested to know what theme you are using.

    Your .htaccess solution is correct and good, and what I was using before I wrote this plugin. I wrote the plugin specifically to ban attempts from a WPSCAN and hence the logging to the syslog for Fail2Ban to pick up and ban the IP at firewall. The .htaccess will stop the username from being revealed, but won't stop WPSCAN continuing to try and enumerate plugins, version etc. and of course using up CPU/Memory in the process.

    By the way, it isn't safe to assume you only have 99,999 users if you run a big multi-site, but for the vast majority it will be fine.

  3. Ov3rfly
    Member
    Posted 4 months ago #

    To clarify, ?author=1 did not fail, the check for ?author=1 was bypassed with 1.2.1 even without trailing slash.

    The user with id=1 in the test-system is renamed from admin to mynewadmin which then is visible as author-mynewadmin in html source in above case, could be a weird bug in wordpress then which tries to somewhere find the default admin but does not succeed.

    The author name as user_nicename in html should be visible with any theme which uses body_class() - also default TwentyThirteen, see header.php

    http://codex.wordpress.org/Function_Reference/body_class
    Author archive index pages: archive author author-user_nicename

    Edit: The Codex page actually has a bug, it should read:
    Author archive index pages: archive author author-user_nicename author-{ID}

    The logging and banning is of course the main reason for your plugin, and I also use it because of that. Had just added the .htaccess as a quickfix, and you are right, it would be better with an even higher userid like 999999 or similar.

  4. llocally
    Member
    Plugin Author

    Posted 4 months ago #

    Thanks,

    When I retested 1.2.1 on twenty thirteen I get the full archive, and of course the body tag is set.

    Regarding author=1 getting bypassed I can't replicate that using 1.2.1

    Does that still happen with 1.2.2?

  5. Ov3rfly
    Member
    Posted 4 months ago #

    1.2.2 works as expected, the bypass is fixed and the author=1 issue is fixed.

    Thanks for the great plugin.

  6. Oscon
    Member
    Posted 4 months ago #

    Hello, I noticed that if you use http://www.domainname.ext//?author=2 (two slashes after the extension) it is still possibile to read the username in the <title> tag (although the page says "forbidden"). Is it normal?

    thanks ;)

    [I am using the last plugin version 1.2.3]

  7. llocally
    Member
    Plugin Author

    Posted 3 months ago #

    1.2.4 also resolves the double slash issue. Let me know if you think it doesn't.

    Thanks

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.