search

ASRG / asrg.io

asrg.io - website and docs
MIT License
7 stars 4 forks source link

Vulnerability: CVE-2017-5487 #369

Closed heldyboy closed 2 years ago

heldyboy commented 3 years ago

Can you please look in to this? We recieved the email last week from an Anonymous person. We don't know him however it might be interesting. Can you please investigate? Is this relevant for us? How to fix?

I think this is the way attackers are getting our usernames and brute forcing the website.

Email Below

Hello Team I Gaurang Maheta found a security issue in your system

TiTLE:

Exposure of Sensitive Information to an Unauthorized Actor CVE-2017-5487 Description wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

Base Score: 5.3 MEDIUM

Vector: CSVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Step To Reproduce : https://www.asrg.io/?rest_route=/wp/v2/users/ ["name":"Editor","name":"Ikjot Saini","name":"John","name":"Julian Brucker","name":"Sven Schran","name":"Don King"]

https://www.asrg.io/wp-json/wp/v2/users/ ["name":"John","name":"Julian Brucker","name":"Sven Schran","name":"Don King","name":"Editor","name":"Ikjot Saini"]

Impact Authors : LTR , LTREditor can be created scenario of doing bruteforce attacks to this users. Reference : https://hackerone.com/reports/356047 https://shahjerry33.medium.com/information-disclosure-wordpress-cms-82133480b8b3?source=follow_footer---------3----------------------------

Best Regards, Gaurang

donald-king commented 3 years ago

Fixed with Disable REST API plugin Access permissions can be defined per role, and are currently only unfiltered for administrators. This can be changed through plugin settings. https://plugins.trac.wordpress.org/browser/disable-wp-rest-api/trunk/disable-wp-rest-api.php

heldyboy commented 2 years ago

@usman-asrg Can you please comment how this was fixed, and closed? Always add screenshots, or proof that it is closed. Thanks.

usman-asrg commented 2 years ago

@heldyboy I checked everything and I think we are safe in terms of this issue: image

heldyboy commented 2 years ago

@usman-asrg, ok thanks!