HonestRepairAdmin

I can respect not breaking existing apps. That seems like the only logical reason to me.

But if security is merely a “perception” then why is user enumeration disabled on www.remarpro.com? I just tried to enumerate it’s users but it failed. Probably because they’ve added similar code that I added to my WordPress.

Strange. Why can’t I enumerate your users? I thought it was a simple, innocent, innocuous task that serves good purpose!

It doesn’t matter what the users or developers think this “feature” is good for. Hackers know this is a weakness and that’s how it’s used in the wild. It doesn’t matter if WordPress devs don’t think it’s important if hackers in the wild are using it. They don’t care if there’s a CVE or not. If they can dump a userlist with curl and bash that’s what they’re gonna do.

I will gracefully close this request and keep modifying my functions.php as I always have, but please know that I disagree with this being documented “functionality.”

There might be 5 times in a blog’s life when a user will use this feature the way it’s intended. By contrast it is guaranteed that a blog will be hit by some curl+bash script or Kali+WPScan thousands upon thousands of times by hundreds of bad actors. To me it’s not worth the risk.

• This reply was modified 6 years, 2 months ago by HonestRepairAdmin.
• This reply was modified 6 years, 2 months ago by HonestRepairAdmin.
• This reply was modified 6 years, 2 months ago by HonestRepairAdmin.

Thanks for engaging with me on this topic. I understand that usernames are made to be shared and email addresses are not generally secret (on an individual basis). However, I still think it’s wrong that anyone on the internet can get a clean .csv of users and user ID for any WordPress website.

I’m also still looking for the WP team’s rationale on this. I see the fact that you don’t consider this a vuln but I don’t see why. Considering it takes under 10 lines of code to fix I feel that “we don’t think it’s necessary” is a bit of a cop-out.

Also, I would argue that just by displaying the username on a webpage we are violating the GDPR. Let’s assume I operate an adult entertainment website. Anyone who enumerates my userlist is going to get very personal information about my users (IE: The fact they’re using my website in the first place).

Obviously contributors are a bit different, as they would be aware that this information gets shared.

But what if Google gave you a .csv of all accountholders usernames just because you poked around a bit. Don’t you think they would consider that a vulnerability?

Also, you’re literally giving away the tools a hacker needs to pull off a brute force attack. Strong passwords are great, but if you have a list of usernames in hand brute forcing becomes a joke anyway. There are hundreds of word lists out there. If we disable enumeration an attacker now has to not only guess a password, but a username too.

The work of writing 10 LOC to harden millions of websites seems trivial. I am just having a hard time understanding why WP wants to invite so much risk for literally no reward and zero development costs. Perhaps you could elaborate?

Thank you!

Thanks for the reply. I’ve got an update to my problem!

I believe that it was a plugin conflict. Perhaps an old SMTP plugin messed something up, or perhaps iThemes Security is blocking emails to throwaway email addresses. Whatever it is, I fixed it by swinging a broken bottle around.

I have also recently installed the “SB Welcome Email” plugin and all seems well. Tested and confirmed.

If anyone else has problems I’d suggest disabling plugins one-by-one and trying to register a test user. Also try legitimate email accounts as well as throwaway accounts (like spambog or discardmail).

Update to my problem!

I believe that it was a plugin conflict. Perhaps an old SMTP plugin messed something up, or perhaps iThemes Security is blocking emails to throwaway email addresses. Whatever it is, I fixed it by swinging a broken bottle around.

I have also recently installed the “SB Welcome Email” plugin and all seems well. Tested and confirmed.

If anyone else has problems I’d suggest disabling plugins one-by-one and trying to register a test user. Also try legitimate email accounts as well as throwaway accounts (like spambog or discardmail).

Thanks for the input!

I’ll give an update on how I went about this.

First, I downloaded the latest WP repo and renamed wp_config_sample to wp_config. I also got rid of the upper-most level of the stock directory structure. I then zipped this semi-configured WP directory and uploaded it to my repo.
When a user installs HRCloud2, it checks for wp_load.php. If no wp_load exists the zip is extracted to the server’s root and the user is instructed how to configure WordPress.

• This reply was modified 8 years, 2 months ago by HonestRepairAdmin.

Are you using the [cloud] shortcode to display the users files?
From the WordPress admin page go to Cloud > System and make sure there are no errors displayed at the top of the page. Specifically, we want to make sure that the the WordPress usergroup has read/write access to the /cloud/ directory. I believe the default permission levels for that folder should be automatically set to 775 by the plugin upon creation, but assuming your using Linux and you have access to the servers back-end open up a terminal and type…

‘ sudo chmod 775 /var/www/html/cloud ‘

If you want to give users the ability to use the back-end of the Cloud (from the WordPress admin panel) you COULD use a plugin like User Role Editor to give subscribers the ability to manage_options…. HOWEVER, that is a very bad idea.

I think what you want to do is a button to break the cloud out into it’s own window…….

<script type="text/javascript">
// Cloud Window Launch Code
function newPopup(url) {
	popupWindow = window.open(
		url,'popUpWindow','height=700,width=600,left=25,top=25,resizable=yes,scrollbars=yes,toolbar=no,menubar=no,location=no,directories=no,status=yes')
}
</script>
<a href="JavaScript:newPopup('https://www.yoursite.com/cloud/');"><div style="text-align: center"><img src="https://www.youtsite.con/wp-content/uploads/2015/03/your_chosen_logo.png" border="0"/></div></a>

Something like this will work, but not all browsers will comply with the ‘ toolbar=no ‘ portion, and it’s much less than convenient for mobile users (as it will open a new window). To solve this I would add a landing page between your login page and your Cloud that automatically redirects users based on screen size to different pages that you’ve pre-formatted for mobile and desktop environments.

Cheers! Hopefully I didn’t screw anything up or waste your time. ??

Hello!

I also wanted to accomplish this. I have found several ways. I am away from my current server ATM, so I cannot reference my current deployment, but in the past a secure way to add extensions was to navigate to the /plugins/cloud and modify the setup_utilities.php. At the very bottom of the file there is an array containing supported extensions. As long as the file extension you add to the array is formatted the same as all the existing types, and as long as the extension you’re adding is a valid MIME file-type WP_Cloud should transfer the file no problem. I have another method (Which I will upload later, when I can access my deployment) that will automatically allow all extensions except PHP files, which will cause problems when the server tries to transfer the file to the users Cloud folder.

Please note, the default Apache deployment will limit the max file transfer size for a client using the cloud to 2MB. If you’re hosting yourself you need to modify your PHP configuration ( /apache2/php.ini ) to allow file transfers over 2MB. It would also be a good idea to increase all the connection timeouts to a value that won’t interfere with users uploading from slow connections.

In addition to these changes, it would be a good idea to deploy some type of virus scanning. Users will be able to upload whatever they want. You don’t want to be a haven for nefarious deeds online. A strong privacy policy, some backup system using Unison, and some ClamAV anti-virus would be a good companion for your Cloud server deployment.

??