WordPress.org

Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#44449 new defect (bug)

WP_REST_Users_Controller->get_item_permissions_check() should return permission error even if user does not exist

Reported by: Ste_95 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: REST API Keywords: close
Focuses: Cc:

Description

Right now, WP_REST_Users_Controller->get_item_permissions_check() returns a different error depending on whether the request user does not exist or the requester does not have permission to list_users.

This is due to an early check on $user:

if ( is_wp_error( $user ) ) {
     return $user;
}

This is not a real security vulnerability, but it may give away information to an attacker. We probably shouldn't want to give away the fact that a user exists (or not), if the requester does not have permission to pull a list of existing users. Otherwise we are allowing them to (slowly) build a users list by making a multitude of wrong requests. The check above should thus probably go at the bottom of the function, just before the return true;.

https://core.trac.wordpress.org/browser/tags/4.8.1/src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php#L365

Change History (1)

#1 @swissspidy
4 weeks ago

  • Component changed from Security to REST API
  • Focuses rest-api removed
  • Keywords close added

Disclosure of usernames and user IDs is not a security issue. If you want to get a list of usernames you could just try logging in or use the password reset form to achieve the same.

Note: See TracTickets for help on using tickets.