Possibility to bypass 401

  • Hey,
    we are using your plugin for one of our clients. It was possible there to bypass the 401 by adding %2f%2f at the end of the URL -> /wp-json%2f%2f

    We investigated the issues further and found out that the PHP get passed different PATH_INFOS for NGINX and Apache: empty vs /wp-json/

    When coming then to your code in /wp-content/plugins/disable-json-api/classes/disable-rest-api.php on line 93is_route_allowed gets called and in our NGINX case the $currentRoute variable was set to '' – instead of '/' in Apache. The problem with this was that '' was neither matched by the allowed routes nor by the disallowed routes, why default true got returned and visitors were able to get a valid response even though they shouldnt.

    So the fix on our side was the following in the is_route_allowed function at top: 

    if( empty( $currentRoute ) ) {
      $currentRoute = '/';
    }

    Would be great if you could apply a fix here.

    All the best
    Lukas from Sunlime Web Innovations GmbH

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Jeff Starr

    (@specialk)

    Hi Lukas,

    I appreciate the detailed report, but not sure if this is the correct plugin..?

    I ask because neither is_route_allowed or $currentRoute is used, called, or included anywhere in the plugin source code.

    Unless I am missing something?

    Plugin Author Jeff Starr

    (@specialk)

    Hi Lukas, just wondering if you still need help with this, or got my reply..?

    Let me know how I can help, thank you.

    Hi Jeff sorry for bothering you, and thank you for your fast reply – indeed we are using a different plugin. Sorry for any inconvenience we have caused here.

    Kind regards

    Lukas

    Plugin Author Jeff Starr

    (@specialk)

    All good, thanks for letting me know.

    Cheers, Lukas.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.