Skip to:
Content

Opened 4 years ago

Closed 4 years ago

#2827 closed defect (fixed)

User enumeration

Reported by: glynwintle Owned by: johnjamesjacoby
Milestone: 2.5.8 Priority: normal
Severity: minor Version: 2.0
Component: Component - Users Keywords:
Cc:

Description

User enumeration.
It would be nice to included an option to prevent user enumeration.
This is a feature that is required on systems that are doing security hardening.
Currently non logged in users can enumerate all users by incrementing the number on the url /wordpress/?bbp_user=2
and via /wp-admin/admin-ajax.php?action=bbp_suggest_user

Change History (5)

#1 @johnjamesjacoby
4 years ago

  • Component changed from General to Component - Users
  • Milestone changed from Awaiting Review to 2.6
  • Owner set to johnjamesjacoby
  • Type changed from enhancement to defect
  • Version changed from trunk to 2.0

Thanks for the ticket. I agree that user enumeration is not ideal, though given how WordPress assigns user ID's numerically this may be difficult to avoid.

I have a few thoughts:

  • The bbp_user method is not unlike the ?author=1 method employed by WordPress itself. I'm not saying bbPress needs to make the same decision, only that the upstream decision has always been that this is not by itself a vulnerability.
  • Logged out users cannot use the bbp_suggest_user method, as the user must also have the moderate capability for the request to return results. That said, it's silly to hook into the nopriv ajax action, so those hooks are worth removing.

For developers wishing to remove the ability to enumerate through forum profiles, the bbp_parse_query() function would need to be unhooked and replaced with something that does not check for numeric user ID's.

#2 @johnjamesjacoby
4 years ago

In 5808:

Admin: Remove _nopriv_ ajax actions.

This commit ensures that admin-area AJAX suggestion results are never presented to logged-out users.

(Note: these requests already have nonce & capability checks on them, so this bit of hardening is only useful to installations that have modified roles & capabilities outside of what is considered to be normal operating parameters, allowing logged-out users to also be forum moderators.)

Hat-tip glynwintle. See #2827. For 2.5.8 (2.5 branch)

#3 @johnjamesjacoby
4 years ago

In 5809:

Admin: Remove _nopriv_ ajax actions.

This commit ensures that admin-area AJAX suggestion results are never presented to logged-out users.

(Note: these requests already have nonce & capability checks on them, so this bit of hardening is only useful to installations that have modified roles & capabilities outside of what is considered to be normal operating parameters, allowing logged-out users to also be forum moderators.)

Hat-tip glynwintle. See #2827. For 2.6.0 (trunk)

#4 @netweb
4 years ago

  • Milestone changed from 2.6 to 2.5.8

#5 @johnjamesjacoby
4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

With changes made in #2828, enumeration is no longer possible on installations with pretty permalinks enabled. For unpretty installations, enumeration is possible similar to querying for author=1 which is currently considered acceptable, though may change in future versions.

Note: See TracTickets for help on using tickets.