Do not cache login requests - Fixes #1395

wpscanteam · Sep 16, 2019 · ab950d6 · ab950d6
1 parent b77e611
commit ab950d6
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 2 deletions.
diff --git a/app/finders/passwords/xml_rpc.rb b/app/finders/passwords/xml_rpc.rb
@@ -8,7 +8,7 @@ class XMLRPC < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
 
         def login_request(username, password)
-          target.method_call('wp.getUsersBlogs', [username, password])
+          target.method_call('wp.getUsersBlogs', [username, password], cache_ttl: 0)
         end
 
         def valid_credentials?(response)

diff --git a/app/finders/passwords/xml_rpc_multicall.rb b/app/finders/passwords/xml_rpc_multicall.rb
@@ -19,7 +19,7 @@ def do_multi_call(users, passwords)
             end
           end
 
-          target.multi_call(methods).run
+          target.multi_call(methods, cache_ttl: 0).run
         end
 
         # @param [ Array<Model::User> ] users

diff --git a/lib/wpscan/target/platform/wordpress.rb b/lib/wpscan/target/platform/wordpress.rb
@@ -109,6 +109,7 @@ def login_request(username, password)
           Browser.instance.forge_request(
             login_url,
             method: :post,
+            cache_ttl: 0,
             body: { log: username, pwd: password }
           )
         end