Disputed / BOGUS

Wordpress information leakage and backdoor in writing settings

Published
Credit
Risk
2013.12.23
MustLive
High
CWE
CVE
Local
Remote
N/A
N/A
No
Yes

Hello list!

As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at my site for your attention). And this is translation of the first part of these holes.

These are Information Leakage and Backdoor vulnerabilities in WordPress. Which I knew since June 2006 and they are still actual for all versions of WP.

-------------------------
Affected products:
-------------------------

Vulnerable are WordPress 3.7.1 and previous versions. And also WP 3.8, which was released at 14.12.2013 (since developers traditionally made their new version "vulnerabilities compatible").

----------
Details:
----------

Information Leakage (WASC-13):

The login and password from e-mail are saved in DB in plain text (unencrypted) in Writing Settings (http://site/wp-admin/options-writing.php), if this functionality is used. So by receiving data from DB via SQL Injection or Information Leakage vulnerability, or by receiving content of this page via XSS, or by accessing admin panel via any vulnerability, it's possible to get login and password from e-mail account.

Which allows to take over this site (including in the future, via password recovery function) and other sites, where there is password recovery function, which will send letters to this e-mail. Because an user may use his main e-mail account in the settings (I saw such cases in Internet). This is complete jackpot.

Backdoor:

This functionality also can be used as backdoor. When attacker's e-mail is set in options Writing Settings, from which the posts will be published at web site. With XSS code, with black SEO links, with malware code, etc.

------------
Timeline:
------------
2013.11.30 - disclosed at my site (http://websecurity.com.ua/6905/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

-

References:

http://seclists.org/oss-sec/2013/q4/539
https://bugzilla.redhat.com/show_bug.cgi?id=1045416
http://seclists.org/oss-sec/2013/q4/538
http://seclists.org/fulldisclosure/2013/Dec/135


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com