On May 26th Veronica Valero of Talsoft S.R.L. posted a security advisory on the Full Disclosure mailing list outlining a username disclosure vulnerability via a Direct Object Reference.
This is a problem in itself, however, what was more interesting to me was Zerial’s reply to the advisory;
“Also you can “enumerate” wordpress users using the wp-login.php. When you enter a non-existent user
No comments:
Post a Comment