what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Stop User Enumeration 1.3.8 User Enumeration

WordPress Stop User Enumeration 1.3.8 User Enumeration
Posted Jul 26, 2017
Authored by Tom Adams

WordPress Stop User Enumeration plugin version 1.3.8 suffers from a user enumeration vulnerability.

tags | exploit
SHA-256 | b7513f284de1b5522ef7c496fd4c6816b69284ea65ff20882b3bb5824e1e4e39

WordPress Stop User Enumeration 1.3.8 User Enumeration

Change Mirror Download
Details
================
Software: Stop User Enumeration
Version: 1.3.8
Homepage: https://wordpress.org/plugins/stop-user-enumeration/
Advisory report: https://security.dxw.com/advisories/stop-user-enumeration-rest-api/
CVE: Awaiting assignment
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Stop User Enumeration allows user enumeration via the REST API

Vulnerability
================
Stop User Enumeration optionally allows stopping user enumeration via the WordPress REST API. When that option is enabled, requests toA /wp-json/wp/v2/users are blocked and return an error like this:
{\"code\":\"rest_cannot_access\",\"message\":\"Only authenticated users can access the User endpoint REST API.\",\"data\":{\"status\":401}}
It also successfully blocks requests such asA /?rest_route=/wp/v2/users.
The blocking relies upon the following comparison:
if( preg_match(\'/users/\', $_SERVER[\'REQUEST_URI\']) !== 0 ) {
On the surface this looks like it should work.A And itA seems like we canat get around the restriction by sending a POST request with the parameter rest_route=/wp/v2/users, because WordPress thinks we want to create a user and responds with an error.
However, the REST API allows simulating differentA request types. As such, we can perform a POST request with the ausersa string in the body of the request, and tell the REST APIA to act like itas received a GET request.

Proof of concept
================
curl http://localhost/?_method=GET -d rest_route=/wp/v2/users

Mitigations
================
Upgrade to versionA 1.3.9 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2017-05-16: Discovered
2017-07-18: Reported to vendor viaA info@fullworks.net
2017-07-18: First response from vendor
2017-07-19: Vendor reports issue fixed in version 1.3.9
2017-07-25: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.




Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close