[asterisk-bugs] [JIRA] (ASTERISK-29250) Bug Report #21J60 (Missing access control exposing detailed information on all users admin)

Sound Ground (JIRA) noreply at issues.asterisk.org
Sat Jan 16 06:51:59 CST 2021 

Sound Ground created ASTERISK-29250:
---------------------------------------

             Summary: Bug Report #21J60 (Missing access control exposing detailed information on all users admin)
                 Key: ASTERISK-29250
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29250
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Addons/app_saycountpl
    Affects Versions: 17.9.0
            Reporter: Sound Ground
            Severity: Minor


Hello Team
I have found https://asterisk.org/wp-json/wp/v2/users/ disclosing some information of admin user
Using REST API, we can see all the WordPress users/author with some of their information.I think developer forget to disable the link that can view information of admin user. so
By access to this link, attacker can get all username and other information of user admin:
Description:
By default Wordpress allow public access to Rest API to get information about all users registered on the system but you have restricted it internally. However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.
Steps To Reproduce:
1. You can reproduce it just by visiting the url https://asterisk.org/wp-json/wp/v2/users/

Impact:
1.Malicious counterpart could collect the usernames disclosed (and the admin user) and be focused throughout BF attack (as the usernames are now known), making it less harder to penetrate the ripple systems.2.Attacker can use these valuable information for advance attack as bruteforce login.3.It is possible to get all the users registered on the system and create a brute force directed to these users.
Remediation:
Use this code will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.
add_filter( 'rest_endpoints', function( $endpoints ){    if ( isset( $endpoints['/wp/v2/users'] ) ) {        unset( $endpoints['/wp/v2/users'] );    }    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );    }    return $endpoints;});

also
There are 2 ways that it's possible to fix this problem.
FIX 1 - It's possible to remove this access for anyone by change the source code where when someone request the Rest API and the server send a 404 (Not Found) message for the user who made the request.Reference: https://github.com/WP-API/WP-API/issues/2338
FIX 2 - It's also possible to create a rewrite rule on .htaccess (if the webserver it's Apache) to redirect any request that contain rest_route (eg.: "^.*rest_route=/wp/*") to a Not Found (404) or a Default Page.
Similar report:
https://hackerone.com/reports/753725https://hackerone.com/reports/356047

Be Safe
Best Rigards 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list