Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 23 Dec 2013 09:28:53 -0500 (EST)
Subject: Re: CVE Request: wordpress: information leakage and backdoor vulnerabilities in writing settings

Hash: SHA1

> It was found that the login and password from e-mail are saved in DB
> in plain text

We don't currently understand how any of this information could
qualify for a CVE assignment. As far as we can tell, the use of
cleartext credentials is an intentional design choice to support the
"Post via e-mail" feature described on the web page.
Essentially, this feature requires the ability to send USER and PASS
commands outbound to a POP3 server during unattended operation. The
USER and PASS arguments must be sent as cleartext. Therefore, the
product must have the cleartext credentials at connection time.
Although one could envision an alternative approach in which the
stored credentials are reversibly encrypted, we don't feel that that's
been established as a design requirement. Similarly, one might argue
that the product should not be using this specific outbound POP3
approach to control posting, but it seems reasonable that there was
customer demand for this.

> Also, this functionality can be used as backdoor. When attacker's
> e-mail is set in options Writing Settings, from which the posts will
> be published at web site. With XSS code, with black SEO links, with
> malware code, etc.

This seems to mean that, after a compromise, an attacker could decide
to use the "Post via e-mail" feature instead of one of the other
posting options. This does not seem to cross privilege boundaries, and
the availability of the "Post via e-mail" feature does not seem to be
an implementation mistake. We don't happen to know whether "XSS code"
is any easier to insert when using "Post via e-mail" posting instead
of another type of posting. However, in WordPress, an admin typically
has the unfiltered_html capability anyway (see the web page).

Admittedly, there is some risk in supporting stored "Post via e-mail"
data that perhaps is entered by only a tiny fraction of legitimate
customers, and might be missed during an incomplete cleanup from a
compromise. However, "might be missed during an incomplete cleanup"
situations are not really within the scope of CVE.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.