subject:"\[Full\-disclosure\] Talsoft S.R.L. Security Advisory \- WordPress User IDs and User Names Disclosure"

Re: [Full-disclosure] Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure

2011-05-26 Thread Zerial.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Veronica, Also you can "enumerate" wordpress users using the wp-login.php. When you enter a non-existent user wordpress returns "Invalid username" and when you enter a valid user with any random/dummie password, wordpress returns "Invalid Password"

[Full-disclosure] Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure

2011-05-26 Thread Veronica

--- Talsoft S.R.L. Security Advisory WordPress User IDs and User Names Disclosure --- I. Advisory information Title: WordPress User IDs and User Names Disclosure