REST API – Too much exposure!

  • Resolved cherryaustin

    (@cherryaustin)


    7 years, 2 months ago

    I accidentally read something about the new Json WP (v2) api exposing author data. Try this: yourwebsite.com/wp/v2/users. It only outputs details of published authors – but includes additional info which our authors had chosen not to make public.

    Experimenting with other requests, I found that /wp/v2/media outputs the entire media library, including brand-new additions which are unattached. We pay for these images, I don’t want to provide the full directory for free downloads!

    I applied this fix (in my custom plugin, or functions.php would work)

    add_filter( 'rest_endpoints', function( $endpoints ){
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }
    if ( isset( $endpoints['/wp/v2/media'] ) ) {
        unset( $endpoints['/wp/v2/media'] );
    }
    if ( isset( $endpoints['/wp/v2/media/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/media/(?P<id>[\d]+)'] );
    }
    return $endpoints;
});

    While I can see why you’re so excited about all this, WordPress, you haven’t publicised the vulnerabilities. Most bloggers won’t even know this development has happened, let alone how easy it is to access.

    I’m only a part-time, as-needed developer working on a single blog. It was pure chance that I happened on the information. While I do know how to use Json, examining your whole API for nasty surprises is beyond my scope. Please make sure we all know the details!

    • This topic was modified 7 years, 2 months ago by cherryaustin.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter cherryaustin

    (@cherryaustin)

    – Realised I may not have made my request clear: Please will you explain in simple terms what can be accessed via this API, and recommend adjustments that bloggers may wish to make?

    For instance, I could use this to organise the media library – but I can’t now, because I’ve blocked access to /media. I don’t know how to restrict access to authors & above.

    Other WP users will have different requirements & concerns. I don’t think it wise to keep them in the dark – maybe you could put a simple how-to guide on the admin screen?

    Moderator Marius L. J.

    (@clorith)

    Hi there,

    First off, I need to make it very clear that you should never post anything you believe to be a vulnerability publicly, this is a disservice to every WordPress user including your self, instead they should be disclosed responsibly through our HackerOne page.

    Now on to the topic at hand, this is the REST API, it does not disclose anything that isn’t already public information, anything not already public requires you to be logged in as a user with the appropriate capabilities to access.

    As for creating howtos in the admin screen, this is just throwing confusion at users. If they wish to know about development practices, they should follow the development documentation, it has no place in the interface used by people of all skill levels.

    We also can’t document everything there, the REST API is an extendable part of WordPress that plugins and themes can (and are) building on top of and creating functionality for.

    Thread Starter cherryaustin

    (@cherryaustin)

    OK, I consider my wrist slapped. I don’t know anything like enough about this API to determine whether it exposes actual exploits; I leave that to experts. My concerns were about unpublished content.

    However, I now understand this content is NOT exposed to visitors without correct permissions/capabilities. I apologise – and will go back to I can see why you’re so excited about it!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘REST API – Too much exposure!’ is closed to new replies.