[asterisk-bugs] [JIRA] (ASTERISK-29250) Bug Report #21J60 (Missing access control exposing detailed information on all users admin)

Joshua C. Colp (JIRA) noreply at issues.asterisk.org
Sat Jan 16 08:57:59 CST 2021


     [ https://issues.asterisk.org/jira/browse/ASTERISK-29250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua C. Colp closed ASTERISK-29250.
-------------------------------------

    Resolution: Suspended

This has been forwarded to the appropriate team.

> Bug Report #21J60 (Missing access control exposing detailed information on all users admin)
> -------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29250
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29250
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Addons/app_saycountpl
>    Affects Versions: 17.9.0
>            Reporter: Sound Ground
>            Severity: Minor
>
> Hello Team
> I have found https://asterisk.org/wp-json/wp/v2/users/ disclosing some information of admin user
> Using REST API, we can see all the WordPress users/author with some of their information.I think developer forget to disable the link that can view information of admin user. so
> By access to this link, attacker can get all username and other information of user admin:
> Description:
> By default Wordpress allow public access to Rest API to get information about all users registered on the system but you have restricted it internally. However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.
> Steps To Reproduce:
> 1. You can reproduce it just by visiting the url https://asterisk.org/wp-json/wp/v2/users/
> Impact:
> 1.Malicious counterpart could collect the usernames disclosed (and the admin user) and be focused throughout BF attack (as the usernames are now known), making it less harder to penetrate the ripple systems.2.Attacker can use these valuable information for advance attack as bruteforce login.3.It is possible to get all the users registered on the system and create a brute force directed to these users.
> Remediation:
> Use this code will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.
> add_filter( 'rest_endpoints', function( $endpoints ){    if ( isset( $endpoints['/wp/v2/users'] ) ) {        unset( $endpoints['/wp/v2/users'] );    }    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );    }    return $endpoints;});
> also
> There are 2 ways that it's possible to fix this problem.
> FIX 1 - It's possible to remove this access for anyone by change the source code where when someone request the Rest API and the server send a 404 (Not Found) message for the user who made the request.Reference: https://github.com/WP-API/WP-API/issues/2338
> FIX 2 - It's also possible to create a rewrite rule on .htaccess (if the webserver it's Apache) to redirect any request that contain rest_route (eg.: "^.*rest_route=/wp/*") to a Not Found (404) or a Default Page.
> Similar report:
> https://hackerone.com/reports/753725https://hackerone.com/reports/356047
> Be Safe
> Best Rigards 



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list