User Information Disclosure via the REST API - /?_method=GET
State Resolved (Closed)
Disclosed publicly 2018-09-10T01:22:37.461Z
Reported To
Weakness Information Disclosure
Bounty $50
Collapse

Summary by lovepakistan

Issue

The reporter found that user information leaked from www.lahitapiolarahoitus.fi.

Fix

The issue was resolved during normal and scheduled hardening of Wordpress.

Reasoning

The issue was valid and the reporter provided enough proof. This is typical Wordpress, what we know as a "feature", that every WP administrator should be aware of.

We've had several reports on related issues, but as all were carried out differently we decided to award each separately.

Timeline
submitted a report to LocalTapiola .
2018-07-20T20:54:09.755Z

Basic report information

Summary:
browser access to www.lahitapiolarahoitus.fi/wp-json is restricted for general public but it is still be accessible through which User information is leaked.

Description:
By default Wordpress allow public access to Rest API to get information about all users registered on the system but you have restricted it internally. I saw several reports on this issue reported on lahitapiolarahoitus.fi. Now as a fix to those reports, requests to /wp-json/wp/v2/users are blocked and return an error like this:

Refer to lahitapiolarahoitus.fi.JPG

It also successfully blocks requests such as /?rest_route=/wp/v2/users.

Refer to lahitapiolarahoitus.fi1.JPG

However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.

Steps To Reproduce:

curl https://lahitapiolarahoitus.fi/?_method=GET -d rest_route=/wp/v2/users

Browsers / Apps Verified In:

  • It is tested via curl command.

Additional material

Refer to finalPOC.JPG

Impact

It allows anonymous access to functionality that allows a hacker to list all users who have published a post on a WordPress site.

Regards,
Frans

localtapiola-thomas Activities::Comment
2018-07-21T10:10:26.218Z
Thanks a lot for reporting this potential issue back to us. LocalTapiola takes security very seriously and would appreciate if you would not share any information about this report until we have determined whether this is a bug and what any potential impact (or fix) will be. Our security team will take a look at this issue as soon as possible. We aim to respond to your report as soon as possible, but due to the complexity of the systems, triaging many times can take a long time. We prioritize issues - reports containing trivial issues with limited (or no) business impact and badly written reports with insufficient information on how to reproduce the issue receive a lower priority. Please do not request updates for at least 20 days into the process. Once triaged and verified, bounty decisions are made 1-2 times per month. *Note: if we frequently dismiss your reports, make sure you have read our policy and stay in scope and that you know how to write good reports - https://support.hackerone.com/hc/en-us/articles/211538803-Step-by-Step-How-to-write-a-good-vulnerability-report and http://blog.bugcrowd.com/advice-for-writing-a-great-vulnerability-report/. Also, our policy contains a lot of information on what is relevant and what is not.*


lovepakistan Activities::Comment
2018-08-13T10:22:34.921Z
Any updates?


localtapiola-thomas Activities::BugTriaged
2018-08-22T06:34:45.044Z
This works, we have tested it. A fix will be rolled out, the schedule is not known for now.


localtapiola-thomas Activities::ReportTitleUpdated
2018-08-22T06:36:16.731Z


Activities::BountyAwarded
2018-08-22T06:37:02.323Z
Awarding bounty equal to similar reports.


localtapiola-thomas Activities::Comment
2018-08-23T08:22:01.503Z
You could retest this, we are of course also interested in knowing if you can somehow circumvent our mitigation.


lovepakistan Activities::Comment
2018-08-24T09:44:34.174Z
Have not found any way to still do this. It is fixed. Thanks !


lovepakistan Activities::Comment
2018-09-05T20:00:57.185Z
It is fixed, please change the status of the report.


localtapiola-thomas Activities::BugResolved
2018-09-09T22:09:11.043Z
Closing as resolved.


localtapiola-thomas Activities::AgreedOnGoingPublic
2018-09-09T22:09:54.713Z
No secrets, full disclosure.


lovepakistan Activities::AgreedOnGoingPublic
2018-09-10T01:22:37.387Z


lovepakistan Activities::ReportBecamePublic
2018-09-10T01:22:37.494Z