[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Stop User Enumeration allows user enumeration via the REST API (WordPress plugin)

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Stop User Enumeration allows user enumeration via the REST API (WordPress plugin)
From: dxw Security <security@xxxxxxx>
Date: Tue, 25 Jul 2017 12:27:09 +0000

Details
================
Software: Stop User Enumeration
Version: 1.3.8
Homepage: https://wordpress.org/plugins/stop-user-enumeration/
Advisory report: 
https://security.dxw.com/advisories/stop-user-enumeration-rest-api/
CVE: Awaiting assignment
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Stop User Enumeration allows user enumeration via the REST API

Vulnerability
================
Stop User Enumeration optionally allows stopping user enumeration via the 
WordPress REST API. When that option is enabled, requests to 
/wp-json/wp/v2/users are blocked and return an error like this:
{\"code\":\"rest_cannot_access\",\"message\":\"Only authenticated users can 
access the User endpoint REST API.\",\"data\":{\"status\":401}}
It also successfully blocks requests such as /?rest_route=/wp/v2/users.
The blocking relies upon the following comparison:
if( preg_match(\'/users/\', $_SERVER[\'REQUEST_URI\']) !== 0 ) {
On the surface this looks like it should work. And it seems like we can’t get 
around the restriction by sending a POST request with the parameter 
rest_route=/wp/v2/users, because WordPress thinks we want to create a user and 
responds with an error.
However, the REST API allows simulating different request types. As such, we 
can perform a POST request with the “users” string in the body of the request, 
and tell the REST API to act like it’s received a GET request.

Proof of concept
================
curl http://localhost/?_method=GET -d rest_route=/wp/v2/users

Mitigations
================
Upgrade to version 1.3.9 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@xxxxxxx to acknowledge this report if you 
received it via a third party (for example, plugins@xxxxxxxxxxxxx) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline
================

2017-05-16: Discovered
2017-07-18: Reported to vendor via info@xxxxxxxxxxxxx
2017-07-18: First response from vendor
2017-07-19: Vendor reports issue fixed in version 1.3.9
2017-07-25: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
          


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin (WordPress plugin)
Next by Date: [FD] [RT-SA-2016-007] Cross-Site Scripting in TYPO3 Formhandler Extension
Previous by thread: [FD] CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin (WordPress plugin)
Next by thread: [FD] [RT-SA-2016-007] Cross-Site Scripting in TYPO3 Formhandler Extension
Index(es):
- Date
- Thread