Plot 777 casino real money,JILI 365 casino login register.REGISTER NOW GET FREE 888 PESOS REWARDS!

Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)

Forum: Plugins
In reply to: [Two Factor Authentication] Plugin allows username enumeration

Thread Starter sdundee
(@sdundee)

6 years, 10 months ago

Hi David,

From a security perspective I don’t think this is ideal, because it allows username enumeration. Which means that you can confirm whether or not a username exists in the database; if you proceed to the 2FA page then the username exists, if it doesn’t then you’re presented with an error message. (The OWASP description is much better and more detailed than mine: https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002))

Unfortunately WordPress already allows this sort of enumeration by default, although there are ways to fix this using a few of the security plugins available.

That said, I do understand why a solution to this problem is difficult, especially after looking at the code and reading your explanation. I can’t think of any easy or obvious way to fix this, that doesn’t necessarily mean that this isn’t a valid bug though (even if it might be categorised as low priority).

Thanks for your response.

Kind Regards
Sean

Forum: Plugins
In reply to: [Two Factor Authentication] Plugin allows username enumeration

Thread Starter sdundee
(@sdundee)

6 years, 10 months ago

Hi David,

Actually, I’ve investigated this some more – I ended up setting up an WordPress install with only your plugin installed.

With the plugin disabled, WordPress indeed sets the message you describe, but if you enable the plugin for a specific user, then try logging in as that user with an incorrect password, you are still forwarded to the page asking for the two factor token. Only after entering this are you informed that your password is incorrect.

It looks like the plugin is executing this code before the password is checked, rather than after it’s checked.

So it looks like this is indeed a bug.

Kind Regards
Sean

Forum: Plugins
In reply to: [Two Factor Authentication] Plugin allows username enumeration

Thread Starter sdundee
(@sdundee)

6 years, 10 months ago

Hi David,

Thanks for the quick response.

I think you’re right yes, I’m getting in a muddle myself with other code we’ve added to prevent enumeration in that respect.

In any case, I don’t think this is actually a relevant issue as it’s specific to code that we’ve written to modify the login functionality.

Thanks for you help!

Forum: Plugins
In reply to: [Relevanssi - A Better Search] Contributing to Relevanssi?

Thread Starter sdundee
(@sdundee)

7 years, 6 months ago

Great! I’ve just submitted a PR for the specific problem I identified:

https://github.com/msaari/relevanssi/pull/1

(please let me know if I’ve done anything wrong, this is my first PR on Github).

Thanks

Viewing 4 replies - 1 through 4 (of 4 total)