WordPress.org

Forums

Stop User Enumeration
[resolved] Bypass protection with POST requests (10 posts)

  1. urbanadventurer
    Member
    Posted 1 year ago #

    An attacker can bypass the username enumeration protection by using POST requests. The protection currently only stops GET requests to enumerate users.

    By sending POST requests with the body of "author=1" and incrementing the number for successive requests, the entire set of WordPress users can be enumerated.

    The WordPress user information is disclosed in the HTML response body, unlike being disclosed in the redirect header, as with GET requests.

    POST / HTTP/1.1
    Host: www.wordpress.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 8
    
    author=1

    http://wordpress.org/plugins/stop-user-enumeration/

  2. Badlywired
    Member
    Plugin Author

    Posted 1 year ago #

    Any ideas on trapping this then?

  3. Badlywired
    Member
    Plugin Author

    Posted 1 year ago #

    Just thinking about this, what about restricting all POSTS not from the local server? Is there ever a genuine reason that a WordPress site woudl expect a POST from a third party server?

  4. Ov3rfly
    Member
    Posted 1 year ago #

    Would not intercept all POSTs in general, only 'author' POSTs, something like isset( $_POST['author'] ) or similar.

    Edit: Unnecessary code-example removed...

    PS. Are post vars case-sensitive? Would 'autHor=x' work with WordPress if it gets through?

  5. Badlywired
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks, some good ideas, I will get testing.

  6. Malivuk
    Member
    Posted 1 year ago #

    Confirmed, just change this :

    if (preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING'])===1) ll_kill_enumeration();

    By this :

    if (preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING'])===1 || ($_POST['author'])) ll_kill_enumeration();

  7. Badlywired
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks. This is now in latest release.

  8. Badlywired
    Member
    Plugin Author

    Posted 1 year ago #

    Released

  9. Malivuk
    Member
    Posted 12 months ago #

    Hello, just a small feedback on that issue.

    Here is my code :

    if(!is_admin()) {
      if(preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
        ll_kill_enumeration();
    
      // If isn't admin, requested URI isn't wp-comments-post and $_POST['author']
      if(preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0 && isset($_POST['author']))
        ll_kill_enumeration();
    
      add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
    }
    add_filter('redirect_canonical','ll_detect_enumeration', 10,2);

    As you can see, I do the $_POST check on first match. Plus, I had to check the requested URI to avoid blocking post comment process since it uses the same POST variable..

    The problem will be the same for each plugin / process that uses the author post variable.

    I don't know what you think about that, maybe not the best solution... but at least it bypasses https://github.com/wpscanteam/wpscan/blob/master/stop_user_enumeration_bypass.rb#L51

    Thanks :)

  10. Badlywired
    Member
    Plugin Author

    Posted 11 months ago #

    i wish i read your post before making release 1.2.7 !

    1.2.8 coming out in a minute

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Stop User Enumeration
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic