Opened 5 years ago
Closed 4 years ago
#44449 closed defect (bug) (invalid)
WP_REST_Users_Controller->get_item_permissions_check() should return permission error even if user does not exist
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.7 |
| Component: | REST API | Keywords: | close |
| Focuses: | Cc: |
Description
Right now, WP_REST_Users_Controller->get_item_permissions_check() returns a different error depending on whether the request user does not exist or the requester does not have permission to list_users.
This is due to an early check on $user:
if ( is_wp_error( $user ) ) {
return $user;
}
This is not a real security vulnerability, but it may give away information to an attacker. We probably shouldn't want to give away the fact that a user exists (or not), if the requester does not have permission to pull a list of existing users. Otherwise we are allowing them to (slowly) build a users list by making a multitude of wrong requests. The check above should thus probably go at the bottom of the function, just before the return true;.
Change History (2)
Note: See
TracTickets for help on using
tickets.
Disclosure of usernames and user IDs is not a security issue. If you want to get a list of usernames you could just try logging in or use the password reset form to achieve the same.