Opened 10 years ago
Closed 10 years ago
#2827 closed defect (bug) (fixed)
User enumeration
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 2.5.8 | Priority: | normal |
Severity: | minor | Version: | 2.0 |
Component: | Component - Users | Keywords: | |
Cc: |
Description
User enumeration.
It would be nice to included an option to prevent user enumeration.
This is a feature that is required on systems that are doing security hardening.
Currently non logged in users can enumerate all users by incrementing the number on the url /wordpress/?bbp_user=2
and via /wp-admin/admin-ajax.php?action=bbp_suggest_user
Change History (5)
#1
@
10 years ago
- Component changed from General to Component - Users
- Milestone changed from Awaiting Review to 2.6
- Owner set to johnjamesjacoby
- Type changed from enhancement to defect
- Version changed from trunk to 2.0
#5
@
10 years ago
- Resolution set to fixed
- Status changed from new to closed
With changes made in #2828, enumeration is no longer possible on installations with pretty permalinks enabled. For unpretty installations, enumeration is possible similar to querying for author=1
which is currently considered acceptable, though may change in future versions.
Thanks for the ticket. I agree that user enumeration is not ideal, though given how WordPress assigns user ID's numerically this may be difficult to avoid.
I have a few thoughts:
bbp_user
method is not unlike the?author=1
method employed by WordPress itself. I'm not saying bbPress needs to make the same decision, only that the upstream decision has always been that this is not by itself a vulnerability.bbp_suggest_user
method, as the user must also have themoderate
capability for the request to return results. That said, it's silly to hook into thenopriv
ajax action, so those hooks are worth removing.For developers wishing to remove the ability to enumerate through forum profiles, the
bbp_parse_query()
function would need to be unhooked and replaced with something that does not check for numeric user ID's.