[asterisk-bugs] [JIRA] (ASTERISK-29250) Bug Report #21J60 (Missing access control exposing detailed information on all users admin)
Sound Ground (JIRA)
noreply at issues.asterisk.org
Sat Jan 16 06:51:59 CST 2021
Sound Ground created ASTERISK-29250:
---------------------------------------
Summary: Bug Report #21J60 (Missing access control exposing detailed information on all users admin)
Key: ASTERISK-29250
URL: https://issues.asterisk.org/jira/browse/ASTERISK-29250
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Addons/app_saycountpl
Affects Versions: 17.9.0
Reporter: Sound Ground
Severity: Minor
Hello Team
I have found https://asterisk.org/wp-json/wp/v2/users/ disclosing some information of admin user
Using REST API, we can see all the WordPress users/author with some of their information.I think developer forget to disable the link that can view information of admin user. so
By access to this link, attacker can get all username and other information of user admin:
Description:
By default Wordpress allow public access to Rest API to get information about all users registered on the system but you have restricted it internally. However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.
Steps To Reproduce:
1. You can reproduce it just by visiting the url https://asterisk.org/wp-json/wp/v2/users/
Impact:
1.Malicious counterpart could collect the usernames disclosed (and the admin user) and be focused throughout BF attack (as the usernames are now known), making it less harder to penetrate the ripple systems.2.Attacker can use these valuable information for advance attack as bruteforce login.3.It is possible to get all the users registered on the system and create a brute force directed to these users.
Remediation:
Use this code will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.
add_filter( 'rest_endpoints', function( $endpoints ){ if ( isset( $endpoints['/wp/v2/users'] ) ) { unset( $endpoints['/wp/v2/users'] ); } if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) { unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ); } return $endpoints;});
also
There are 2 ways that it's possible to fix this problem.
FIX 1 - It's possible to remove this access for anyone by change the source code where when someone request the Rest API and the server send a 404 (Not Found) message for the user who made the request.Reference: https://github.com/WP-API/WP-API/issues/2338
FIX 2 - It's also possible to create a rewrite rule on .htaccess (if the webserver it's Apache) to redirect any request that contain rest_route (eg.: "^.*rest_route=/wp/*") to a Not Found (404) or a Default Page.
Similar report:
https://hackerone.com/reports/753725https://hackerone.com/reports/356047
Be Safe
Best Rigards
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list