Bypass protection with POST requests

Any ideas on trapping this then?

Just thinking about this, what about restricting all POSTS not from the local server? Is there ever a genuine reason that a WordPress site woudl expect a POST from a third party server?

Would not intercept all POSTs in general, only ‘author’ POSTs, something like isset( $_POST['author'] ) or similar.

Edit: Unnecessary code-example removed…

PS. Are post vars case-sensitive? Would ‘autHor=x’ work with WordPress if it gets through?

Thanks, some good ideas, I will get testing.

Confirmed, just change this :

if (preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING'])===1) ll_kill_enumeration();

By this :

if (preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING'])===1 || ($_POST['author'])) ll_kill_enumeration();

Thanks. This is now in latest release.

Released

Hello, just a small feedback on that issue.

Here is my code :

if(!is_admin()) {
  if(preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
    ll_kill_enumeration();

  // If isn't admin, requested URI isn't wp-comments-post and $_POST['author']
  if(preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0 && isset($_POST['author']))
    ll_kill_enumeration();

  add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
}
add_filter('redirect_canonical','ll_detect_enumeration', 10,2);

As you can see, I do the $_POST check on first match. Plus, I had to check the requested URI to avoid blocking post comment process since it uses the same POST variable..

The problem will be the same for each plugin / process that uses the author post variable.

I don’t know what you think about that, maybe not the best solution… but at least it bypasses https://github.com/wpscanteam/wpscan/blob/master/stop_user_enumeration_bypass.rb#L51

Thanks ??

i wish i read your post before making release 1.2.7 !

1.2.8 coming out in a minute