New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Information Disclosure #647
Comments
Disclosure of Users Information via Wordpress API (?rest_route) Summary: It's possible to get information about the users registered (such as: id, name, login name, etc.) without authentication in Wordpress via API on https://www.anaconda.com Description: Steps To Reproduce: Just increase the last number of the Endpoing of API (/?rest_route=/wp/v2/users/{id}) to get all users registered information on the Wordpress Remediation: FIX 2 - It's also possible to create a rewrite rule on .htaccess (if the webserver it's Apache) to redirect any request that contain rest_route (eg.: "^.rest_route=/wp/") to a Not Found (404) or a Default Page. Impact |
Kamino closed and cloned this issue to ContinuumIO/anaconda-issues |
Hi there, thank you for your contribution! This issue has been automatically locked because it has not had recent activity after being closed. Please open a new issue if needed. Thanks! |
Hi team,
I found security issue on your site: Information Disclosure.
Your Wordpress installation in Disclosing its version Number in https://www.anaconda.com/readme.html
This can a hacker in speeding up the process or information gathering though discovering your wordpress version number a attacker could use specific exploits made just for your version.
The text was updated successfully, but these errors were encountered: