From 93238308f04a65a5d9c3e60bd5234e3460a02e0d Mon Sep 17 00:00:00 2001 From: developeregrem Date: Tue, 14 Jan 2020 11:29:47 +0100 Subject: [PATCH] added protection for rest api --- README.md | 6 +++- wp-author-security/options.php | 16 ++++++++++ wp-author-security/readme.txt | 2 +- wp-author-security/wp-author-security.php | 37 +++++++++++++++++++++-- 4 files changed, 56 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index e0037a9..8174301 100644 --- a/README.md +++ b/README.md @@ -9,10 +9,14 @@ By default, Wordpress will display some sensitive information on author pages. T https://yourdomain.com/?author=id - or with permalinks + with permalinks https://yourdomain.com/author/username +or using REST API + + https://yourdomain.com/wp-json/wp/v2/users + The page will include the full name (first and last name) as well as the username of the author which is used to login to Wordpress. In some cases, it is not wanted to expose this information to the public. An attacker is able to brute-force valid IDs or valid usernames. This information might be used for further attacks like social-engineering attacks or login brute-force attacks with gathered usernames. diff --git a/wp-author-security/options.php b/wp-author-security/options.php index 76c7820..a5bb280 100644 --- a/wp-author-security/options.php +++ b/wp-author-security/options.php @@ -37,14 +37,22 @@ function register_wp_author_security_settings() { 'sanitize_callback' => 'sanitize_checkbox', 'default' => false ); + $argsRestUser = array( + 'description' => 'Whether to protect REST API endpoint wp-json/wp/v2/users.', + 'type' => 'booelan', + 'sanitize_callback' => 'sanitize_checkbox', + 'default' => true + ); register_setting( 'wp-author-security-group', 'protectAuthor', array_merge($argsBase, $argsAuthor) ); register_setting( 'wp-author-security-group', 'protectAuthorName', array_merge($argsBase, $argsAuthorName) ); register_setting( 'wp-author-security-group', 'disableLoggedIn', array_merge($argsBase, $argsLoggedIn) ); + register_setting( 'wp-author-security-group', 'disableRestUser', array_merge($argsBase, $argsRestUser) ); add_option( 'protectAuthor', $argsAuthor['default']); add_option( 'protectAuthorName', $argsAuthorName['default']); add_option( 'disableLoggedIn', $argsLoggedIn['default']); + add_option( 'disableRestUser', $argsLoggedIn['default']); }; function wp_author_security_menu() { @@ -129,6 +137,14 @@ function wp_author_security_options_page() {

Disable protection for logged in users.

+ + + Protect REST API user enumeration + + /> +

Disable REST API endpoint wp-json/wp/v2/users.

+ + diff --git a/wp-author-security/readme.txt b/wp-author-security/readme.txt index 6c69c1b..b33f306 100644 --- a/wp-author-security/readme.txt +++ b/wp-author-security/readme.txt @@ -2,7 +2,7 @@ Contributors: mgm-sp Tags: security, user enumeration Requires at least: 4.7 -Tested up to: 5.1.1 +Tested up to: 5.3 Requires PHP: 5.6 Stable tag: 1.0 License: GPLv3 diff --git a/wp-author-security/wp-author-security.php b/wp-author-security/wp-author-security.php index e508e74..fdd6b3c 100644 --- a/wp-author-security/wp-author-security.php +++ b/wp-author-security/wp-author-security.php @@ -4,7 +4,7 @@ * Description: Protects against user enumeration attacks for author pages. By default, Wordpress will display some sensitive information on author pages. The author page is typically called by requesting the URI https://yourdomain.com/?author=<id> or with permalinks https://yourdomain.com/author/<username>. The page will include the full name (first and last name) as well as the username of the author which is used to login to Wordpress. In some cases, it is not wanted to expose this information to the public. An attacker is able to brute-force valid IDs or valid username. This information might be used for further attacks like social-engineering attacks or login brute-force attacks with gathered usernames. By using the extension, you are able to disable the author pages either completely or only for users that do not have any published posts yet. When the page is disabled the default 404 page not found is displayed. * Author: mgm-sp * Author URI: https://www.mgm-sp.com - * Version: 1.0 + * Version: 1.1.0 * License: GPL3 * Plugin URI: https://github.com/mgm-sp/wp-author-security */ @@ -17,6 +17,7 @@ require_once (dirname( __FILE__ ) . '/options.php'); add_action( 'template_redirect', 'check_author_request', 1 ); +add_action( 'rest_api_init', 'check_rest_api', 10); /** * checks for author parameter in requests and decideds wheter to block request (404) @@ -42,8 +43,7 @@ function check_author_request() { return; } - // check if protection is disabled for logged in user - if( is_user_logged_in() && get_option('disableLoggedIn')) { + if(!isEnabled()) { return; } @@ -62,6 +62,26 @@ function check_author_request() { return; } + +/** + * disables user enumeration for the REST API endpoint wp-json/wp/v2/users + */ +function check_rest_api() +{ + // check if protection is disabled for logged in user + if( is_user_logged_in() && get_option('disableLoggedIn')) { + return; + } + $pattern = '/wp\/v2\/users/'; + $restRoute = $_REQUEST['rest_route']; + if(isset($_REQUEST['rest_route']) && preg_match($pattern, $_REQUEST['rest_route']) ) { + if(get_option( 'disableRestUser' )) { + display_404(); + } + } + return; +} + /** * Checks if requested user should be blocked or not */ @@ -101,3 +121,14 @@ function display_404() { exit; } +/** + * checks whether plugin is enabled for logged in users or not + */ +function isEnabled() { + // check if protection is disabled for logged in user + if( is_user_logged_in() && get_option('disableLoggedIn')) { + return false; + } + return true; +} +