Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Information Disclosure #647

Closed
hieund12 opened this issue Dec 22, 2018 · 3 comments
Closed

Information Disclosure #647

hieund12 opened this issue Dec 22, 2018 · 3 comments
Labels
locked [bot] locked due to inactivity

Comments

@hieund12
Copy link

Hi team,
I found security issue on your site: Information Disclosure.
Your Wordpress installation in Disclosing its version Number in https://www.anaconda.com/readme.html

This can a hacker in speeding up the process or information gathering though discovering your wordpress version number a attacker could use specific exploits made just for your version.
@hieund12
Copy link
Author

Disclosure of Users Information via Wordpress API (?rest_route)

Summary:

It's possible to get information about the users registered (such as: id, name, login name, etc.) without authentication in Wordpress via API on https://www.anaconda.com
Disclosure of Users Information via Wordpress API (?rest_route)

Description:
By default Wordpress allow public access to Rest API to get informations about all users registered on the system.

Steps To Reproduce:
It's possible to reproduce the attack by browsing the URL:
https://www.anaconda.com/?rest_route=/wp/v2/users/1
https://www.anaconda.com/?rest_route=/wp/v2/users/2

Just increase the last number of the Endpoing of API (/?rest_route=/wp/v2/users/{id}) to get all users registered information on the Wordpress

Remediation:
There are 2 ways that it's possible to fix this problem.
FIX 1 - It's possible to remove this access for anyone by change the source code where when someone request the Rest API and the server send a 404 (Not Found) message for the user who made the request.
Reference: WP-API/WP-API#2338

FIX 2 - It's also possible to create a rewrite rule on .htaccess (if the webserver it's Apache) to redirect any request that contain rest_route (eg.: "^.rest_route=/wp/") to a Not Found (404) or a Default Page.

Impact
It's possible to get all the users registered on the system and create a bruteforce directed to these users.

@rrigdon
Copy link
Contributor

rrigdon commented Sep 4, 2019

Kamino closed and cloned this issue to ContinuumIO/anaconda-issues

@rrigdon rrigdon mentioned this issue Sep 4, 2019
Open
@rrigdon rrigdon closed this as completed Sep 4, 2019
@github-actions
Copy link

Hi there, thank you for your contribution!

This issue has been automatically locked because it has not had recent activity after being closed.

Please open a new issue if needed.

Thanks!

@github-actions github-actions bot added the locked [bot] locked due to inactivity label Mar 21, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked [bot] locked due to inactivity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hieund12 @rrigdon