[wp-testers] Re: Bugs/Fixes, Security Requests

mrmist listswptesters at mist.org.uk
Thu Dec 4 15:07:32 GMT 2008


In message 
<d5d5430f0812021803s7a5d039cn3624668dff97db4e at mail.gmail.com>, g30rg3_x 
<g30rg3x at gmail.com> writes
>Third, you are considering the "script kiddie" / "spammer" scenarios,
>not the real ones which involves real crackers not just people taking
>exploits from milw0rm.com and spamming all over the web.

That's considered because it represents the majority of attacks in this 
day and age.


>There are some scenarios, which involves particular use of sensitive
>information (like the version of the product and username) but they
>are limited to a lot of variables and sometimes they play a minor role
>over the intrusion, so even that your 3 scenarios are right, there are
>scenarios were sensitive information are used are still there, just
>that they play such a little/minor role in the intrusion that are
>often underestimated
>

In other words, these are events which would require a lot of 
developmental effort to change, for little reward.


>Summarizing...
>i didn't say they play a "higher" role on your "harder" security
>infrastructure, they play a little/minor/nano role and also we are not
>only discussing enumeration of version (here) this type of
>vulnerabilities are actually enrolled with full path disclosure and
>username enumeration, there are tactics to avoid disclosing this
>information so really man, if you don't want to see it as security
>then don't see it as security see it as privacy... i don't want people
>to easily get this information just as you don't want spammers to get
>your email address (crappy comparison but reflects my point).
>

People will get your usernames anyway. Only is some unlikely sets of 
circumstances would some average user have a username that was really 
that far removed from publically displayed information.  I would guess 
that many users just use admin.

Those type of user login boxes that don't tell you where the problem is 
are an example of security above common sense.  I actually find it 
annoying some times when I try to log in to some random online thing and 
it says "user name or password error".  That's no help at all to ME, the 
user, the legitimate user of that web site who just happens to have more 
than one username and more than one password.  That sort of response 
does my nut in.  It's trying to be more "secure" , but what it actually 
does is make the thing more ANNOYING to use.  To top off the stupidity 
of it all, most of those same things will let you try user/password 
combos over and over again. No common sense has entered therein.



-- 
mrmist


More information about the wp-testers mailing list