Re: CVE Request: wordpress: information leakage and backdoor vulnerabilities in writing settings

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It was found that the login and password from e-mail are saved in DB
> in plain text

We don't currently understand how any of this information could
qualify for a CVE assignment. As far as we can tell, the use of
cleartext credentials is an intentional design choice to support the
"Post via e-mail" feature described on the
http://codex.wordpress.org/Settings_Writing_Screen web page.
Essentially, this feature requires the ability to send USER and PASS
commands outbound to a POP3 server during unattended operation. The
USER and PASS arguments must be sent as cleartext. Therefore, the
product must have the cleartext credentials at connection time.
Although one could envision an alternative approach in which the
stored credentials are reversibly encrypted, we don't feel that that's
been established as a design requirement. Similarly, one might argue
that the product should not be using this specific outbound POP3
approach to control posting, but it seems reasonable that there was
customer demand for this.

> Also, this functionality can be used as backdoor. When attacker's
> e-mail is set in options Writing Settings, from which the posts will
> be published at web site. With XSS code, with black SEO links, with
> malware code, etc.

This seems to mean that, after a compromise, an attacker could decide
to use the "Post via e-mail" feature instead of one of the other
posting options. This does not seem to cross privilege boundaries, and
the availability of the "Post via e-mail" feature does not seem to be
an implementation mistake. We don't happen to know whether "XSS code"
is any easier to insert when using "Post via e-mail" posting instead
of another type of posting. However, in WordPress, an admin typically
has the unfiltered_html capability anyway (see the
http://codex.wordpress.org/Roles_and_Capabilities web page).

Admittedly, there is some risk in supporting stored "Post via e-mail"
data that perhaps is entered by only a tiny fraction of legitimate
customers, and might be missed during an incomplete cleanup from a
compromise. However, "might be missed during an incomplete cleanup"
situations are not really within the scope of CVE.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSuEguAAoJEKllVAevmvms6akH/i7WAlOURAetaPvdRY+TMVm2
aqWDXRsL8pNClP5W6zplBy5IU5XgBMXPsJepd2Z3uyg5kTQemmIXBd4X+B1qoy5/
WZPGn2BROjiIB1dtPvY+xhM2NURzpoprdfRnmGyqLgzt1L4OnbcYPIKxPV3WJyEK
0ZNT6UwyNikyiuryh4F55wHS1evUOJjLXUBSphQboDrZm4BxcuLOS7yjhs/JPa4O
laOAy024Fofi24NEFHWBZjokQA4s1Sj4MkyKTOPZ3UaoenY8Vti45uPQMdRCP+V+
zKYazeLS0wbFwlmvyTUHhpyCu4RYJcoTTleuIyazv4XfgAH91Z9dc9bBGMNkrPE=
=VTS5
-----END PGP SIGNATURE-----