Closed
Bug 1480986
Opened 7 years ago
Closed 7 years ago
User information leak on Mozilla blog
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1365661
People
(Reporter: mrminifreddy, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Hello,
Your REST-API, allows anonymous access to a function that allows a hacker to list all users of the Mozilla Blog. This is an issue regarding an advanced attack (brute forcing).
This can either be fixed by altering the source code (https://github.com/WP-API/WP-API/issues/2338) or adding a .htaccess rule to block those endpoints (e.g. "^.*rest_route=/wp/*" to a 401).
Flags: sec-bounty?
Thanks for reporting this mrminifreddy, this is all considered public information and was previously reported in another bug. We outsource our Wordpress blog management to WPEngine. They handle WP upgrades and rate limiting for brute force attacks.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•7 years ago
|
Group: websites-security
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•