Version Description
- Added protection against bypass using null bytes (thanks to vunerbality identification and solution by cvcrcky )
- Added protection angainst POST bypass (thanks to vunerbaility identification by urbanadventurer and solution ideas from Ov3rfly and Malivuk )
Download this release
Release Info
Developer | llocally |
Plugin | Stop User Enumeration |
Version | 1.2.5 |
Comparing to | |
See all releases |
Code changes from version 1.2.4 to 1.2.5
- readme.txt +12 -4
- stop-user-enumeration.php +2 -2
readme.txt
CHANGED
@@ -3,16 +3,18 @@ Contributors: llocally
|
|
3 |
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=ZEWW5LKK5995J
|
4 |
Tags: User Enumeration, Security, WPSCAN, fail2ban
|
5 |
Requires at least: 3.4
|
6 |
-
Tested up to: 3.9
|
7 |
-
Stable tag: 1.2.
|
8 |
License: GPLv2 or later
|
9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
10 |
|
11 |
User Enumeration is a method hackers and scanners use to get your username. This plugin stops it.
|
12 |
== Description ==
|
13 |
Even if you are careful and set your blogging nickname differently from your login id, if you are using permalinks it only takes a few seconds
|
14 |
-
to discover your real user name. This plugin stops user enumeration
|
15 |
-
|
|
|
|
|
16 |
== Installation ==
|
17 |
|
18 |
1. Upload `plugin-name.php` to the `/wp-content/plugins/` directory
|
@@ -41,6 +43,12 @@ Adjusted to your own requirements.
|
|
41 |
|
42 |
== Changelog ==
|
43 |
=
|
|
|
|
|
|
|
|
|
|
|
|
|
44 |
= 1.2.4 =
|
45 |
|
46 |
* Added code to check whether not admin (to stop admin features failing) and changed trailing slash code to trap situation where not posts are found and user is displayed in title
|
3 |
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=ZEWW5LKK5995J
|
4 |
Tags: User Enumeration, Security, WPSCAN, fail2ban
|
5 |
Requires at least: 3.4
|
6 |
+
Tested up to: 3.9.1
|
7 |
+
Stable tag: 1.2.5
|
8 |
License: GPLv2 or later
|
9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
10 |
|
11 |
User Enumeration is a method hackers and scanners use to get your username. This plugin stops it.
|
12 |
== Description ==
|
13 |
Even if you are careful and set your blogging nickname differently from your login id, if you are using permalinks it only takes a few seconds
|
14 |
+
to discover your real user name. This plugin stops user enumeration by and produces a 'forbidden' page.
|
15 |
+
|
16 |
+
This pulgin goes a step further than can be achieved with .htaccess alone, as it writes the enumeration attempt
|
17 |
+
in your system log so you can use (optionally) fail2ban (or other log monitoring tools) to block the probing IP.
|
18 |
== Installation ==
|
19 |
|
20 |
1. Upload `plugin-name.php` to the `/wp-content/plugins/` directory
|
43 |
|
44 |
== Changelog ==
|
45 |
=
|
46 |
+
= 1.2.5 =
|
47 |
+
|
48 |
+
* Added protection against bypass using null bytes (thanks to vunerbality identification and solution by cvcrcky )
|
49 |
+
* Added protection angainst POST bypass (thanks to vunerbaility identification by urbanadventurer and solution ideas from Ov3rfly and Malivuk )
|
50 |
+
|
51 |
+
|
52 |
= 1.2.4 =
|
53 |
|
54 |
* Added code to check whether not admin (to stop admin features failing) and changed trailing slash code to trap situation where not posts are found and user is displayed in title
|
stop-user-enumeration.php
CHANGED
@@ -3,7 +3,7 @@
|
|
3 |
Plugin Name: Stop User Enumeration
|
4 |
Plugin URI: http://llocally.com/wordpress-plugins/stop-user-enumeration
|
5 |
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
6 |
-
Version: 1.2.
|
7 |
Author: llocally
|
8 |
Author URI: http://llocally.com/wordpress-plugins/
|
9 |
License: GPLv2 or later
|
@@ -32,7 +32,7 @@ if ( ! is_admin()){
|
|
32 |
|
33 |
add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
|
34 |
function ll_detect_enumeration ($redirect_url, $requested_url) {
|
35 |
-
if (preg_match('/\?author
|
36 |
ll_kill_enumeration();
|
37 |
} else {
|
38 |
return $redirect_url;
|
3 |
Plugin Name: Stop User Enumeration
|
4 |
Plugin URI: http://llocally.com/wordpress-plugins/stop-user-enumeration
|
5 |
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
6 |
+
Version: 1.2.5
|
7 |
Author: llocally
|
8 |
Author URI: http://llocally.com/wordpress-plugins/
|
9 |
License: GPLv2 or later
|
32 |
|
33 |
add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
|
34 |
function ll_detect_enumeration ($redirect_url, $requested_url) {
|
35 |
+
if (preg_match('/\?author(%00[0%]*)?=([0-9]*)(\/*)/', $requested_url)===1 | ($_POST['author'])) {
|
36 |
ll_kill_enumeration();
|
37 |
} else {
|
38 |
return $redirect_url;
|