Closed heldyboy closed 2 years ago
Fixed with Disable REST API plugin Access permissions can be defined per role, and are currently only unfiltered for administrators. This can be changed through plugin settings. https://plugins.trac.wordpress.org/browser/disable-wp-rest-api/trunk/disable-wp-rest-api.php
@usman-asrg Can you please comment how this was fixed, and closed? Always add screenshots, or proof that it is closed. Thanks.
@heldyboy I checked everything and I think we are safe in terms of this issue:
@usman-asrg, ok thanks!
Can you please look in to this? We recieved the email last week from an Anonymous person. We don't know him however it might be interesting. Can you please investigate? Is this relevant for us? How to fix?
I think this is the way attackers are getting our usernames and brute forcing the website.
Email Below
Hello Team I Gaurang Maheta found a security issue in your system
TiTLE:
Exposure of Sensitive Information to an Unauthorized Actor CVE-2017-5487 Description wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
Base Score: 5.3 MEDIUM
Vector: CSVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Step To Reproduce : https://www.asrg.io/?rest_route=/wp/v2/users/ ["name":"Editor","name":"Ikjot Saini","name":"John","name":"Julian Brucker","name":"Sven Schran","name":"Don King"]
https://www.asrg.io/wp-json/wp/v2/users/ ["name":"John","name":"Julian Brucker","name":"Sven Schran","name":"Don King","name":"Editor","name":"Ikjot Saini"]
Impact Authors : LTR , LTREditor can be created scenario of doing bruteforce attacks to this users. Reference : https://hackerone.com/reports/356047 https://shahjerry33.medium.com/information-disclosure-wordpress-cms-82133480b8b3?source=follow_footer---------3----------------------------
Best Regards, Gaurang