Date: Mon, 23 Dec 2013 09:28:53 -0500 (EST) From: cve-assign@...re.org To: ratulg@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: wordpress: information leakage and backdoor vulnerabilities in writing settings -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It was found that the login and password from e-mail are saved in DB > in plain text We don't currently understand how any of this information could qualify for a CVE assignment. As far as we can tell, the use of cleartext credentials is an intentional design choice to support the "Post via e-mail" feature described on the http://codex.wordpress.org/Settings_Writing_Screen web page. Essentially, this feature requires the ability to send USER and PASS commands outbound to a POP3 server during unattended operation. The USER and PASS arguments must be sent as cleartext. Therefore, the product must have the cleartext credentials at connection time. Although one could envision an alternative approach in which the stored credentials are reversibly encrypted, we don't feel that that's been established as a design requirement. Similarly, one might argue that the product should not be using this specific outbound POP3 approach to control posting, but it seems reasonable that there was customer demand for this. > Also, this functionality can be used as backdoor. When attacker's > e-mail is set in options Writing Settings, from which the posts will > be published at web site. With XSS code, with black SEO links, with > malware code, etc. This seems to mean that, after a compromise, an attacker could decide to use the "Post via e-mail" feature instead of one of the other posting options. This does not seem to cross privilege boundaries, and the availability of the "Post via e-mail" feature does not seem to be an implementation mistake. We don't happen to know whether "XSS code" is any easier to insert when using "Post via e-mail" posting instead of another type of posting. However, in WordPress, an admin typically has the unfiltered_html capability anyway (see the http://codex.wordpress.org/Roles_and_Capabilities web page). Admittedly, there is some risk in supporting stored "Post via e-mail" data that perhaps is entered by only a tiny fraction of legitimate customers, and might be missed during an incomplete cleanup from a compromise. However, "might be missed during an incomplete cleanup" situations are not really within the scope of CVE. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSuEguAAoJEKllVAevmvms6akH/i7WAlOURAetaPvdRY+TMVm2 aqWDXRsL8pNClP5W6zplBy5IU5XgBMXPsJepd2Z3uyg5kTQemmIXBd4X+B1qoy5/ WZPGn2BROjiIB1dtPvY+xhM2NURzpoprdfRnmGyqLgzt1L4OnbcYPIKxPV3WJyEK 0ZNT6UwyNikyiuryh4F55wHS1evUOJjLXUBSphQboDrZm4BxcuLOS7yjhs/JPa4O laOAy024Fofi24NEFHWBZjokQA4s1Sj4MkyKTOPZ3UaoenY8Vti45uPQMdRCP+V+ zKYazeLS0wbFwlmvyTUHhpyCu4RYJcoTTleuIyazv4XfgAH91Z9dc9bBGMNkrPE= =VTS5 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.