BUG: access_token with admin rights for all?
-
I found a big error (sort of). Actions:
1) We log in in the standard way, get an access token and a refresh token for the ‘test ‘ user.
Request body:
{“username”: “test”, “password”: “123”}
2) I make a request for /wp-json/wp/v2/users/me and get the user test. Fine!
3) I take the refresh token, call /wp-json/api-bearer-auth/v1/tokens/refresh without header. I am not putting authentication in the header. I get a new access token.
Request body:
{“token”: “… refresh token …”}
4) I take the received new access token, put it in the authorization header and call /wp-json/wp/v2/users/me again. I get the ‘admin’ user. admin has id = 1.This is definitely a very serious bug. It turns out that any user can get administrative rights simply by having a refresh token.
WordPress 5.4.2
API Bearer 20200717Also change user password not set access and refresh tokens to invalid
Me using postman for tests.
-
I checked MySQL DB:
call Bearer API for refresh token refresh access token for admin and test users (maybe, for all users?).Update: yes, for all user in it table.
Okay, I checked source code of plugin (db.php), and we have:
$wpdb->query($wpdb->prepare(“UPDATE ” . $wpdb->base_prefix . “user_tokens
SET access_token = %s,
access_token_valid = %s”, $token[‘token’], $token[‘expires_datetime’]))This query not containg ‘WHERE’, and we have update all users tokens.
Please, fix it. You should add ‘… WHERE user_id = %d’ … $user_id
UPDATE:
Working fix:
if ($wpdb->query($wpdb->prepare(“UPDATE ” . $wpdb->base_prefix . “user_tokens
SET access_token = %s,
access_token_valid = %s WHERE user_id = %d”, $token[‘token’], $token[‘expires_datetime’], $user_id)))
- The topic ‘BUG: access_token with admin rights for all?’ is closed to new replies.
