[asterisk-bugs] [JIRA] (ASTERISK-29250) Bug Report #21J60 (Missing access control exposing detailed information on all users admin)
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Sat Jan 16 06:51:59 CST 2021
[ https://issues.asterisk.org/jira/browse/ASTERISK-29250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=253517#comment-253517 ]
Asterisk Team commented on ASTERISK-29250:
------------------------------------------
Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed.
A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.
Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.
Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/].
> Bug Report #21J60 (Missing access control exposing detailed information on all users admin)
> -------------------------------------------------------------------------------------------
>
> Key: ASTERISK-29250
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29250
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Addons/app_saycountpl
> Affects Versions: 17.9.0
> Reporter: Sound Ground
> Severity: Minor
>
> Hello Team
> I have found https://asterisk.org/wp-json/wp/v2/users/ disclosing some information of admin user
> Using REST API, we can see all the WordPress users/author with some of their information.I think developer forget to disable the link that can view information of admin user. so
> By access to this link, attacker can get all username and other information of user admin:
> Description:
> By default Wordpress allow public access to Rest API to get information about all users registered on the system but you have restricted it internally. However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.
> Steps To Reproduce:
> 1. You can reproduce it just by visiting the url https://asterisk.org/wp-json/wp/v2/users/
> Impact:
> 1.Malicious counterpart could collect the usernames disclosed (and the admin user) and be focused throughout BF attack (as the usernames are now known), making it less harder to penetrate the ripple systems.2.Attacker can use these valuable information for advance attack as bruteforce login.3.It is possible to get all the users registered on the system and create a brute force directed to these users.
> Remediation:
> Use this code will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.
> add_filter( 'rest_endpoints', function( $endpoints ){ if ( isset( $endpoints['/wp/v2/users'] ) ) { unset( $endpoints['/wp/v2/users'] ); } if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) { unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ); } return $endpoints;});
> also
> There are 2 ways that it's possible to fix this problem.
> FIX 1 - It's possible to remove this access for anyone by change the source code where when someone request the Rest API and the server send a 404 (Not Found) message for the user who made the request.Reference: https://github.com/WP-API/WP-API/issues/2338
> FIX 2 - It's also possible to create a rewrite rule on .htaccess (if the webserver it's Apache) to redirect any request that contain rest_route (eg.: "^.*rest_route=/wp/*") to a Not Found (404) or a Default Page.
> Similar report:
> https://hackerone.com/reports/753725https://hackerone.com/reports/356047
> Be Safe
> Best Rigards
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list