Closed Bug 1480986 Opened 7 years ago Closed 7 years ago

User information leak on Mozilla blog

Categories

(Websites :: Other, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1365661

People

(Reporter: mrminifreddy, Unassigned)

References

()

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Hello, Your REST-API, allows anonymous access to a function that allows a hacker to list all users of the Mozilla Blog. This is an issue regarding an advanced attack (brute forcing). This can either be fixed by altering the source code (https://github.com/WP-API/WP-API/issues/2338) or adding a .htaccess rule to block those endpoints (e.g. "^.*rest_route=/wp/*" to a 401).
Flags: sec-bounty?
Thanks for reporting this mrminifreddy, this is all considered public information and was previously reported in another bug. We outsource our Wordpress blog management to WPEngine. They handle WP upgrades and rate limiting for brute force attacks.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: websites-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.