|
Message-ID: <52B7CE84.1000809@redhat.com> Date: Mon, 23 Dec 2013 11:17:48 +0530 From: Ratul Gupta <ratulg@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE Request: wordpress: information leakage and backdoor vulnerabilities in writing settings Hello, https://bugzilla.redhat.com/show_bug.cgi?id=1045416 It was found that the login and password from e-mail are saved in DB in plain text (unencrypted) in Writing Settings (http://site/wp-admin/options-writing.php), if this functionality is used. So by receiving data from DB via SQL Injection or Information Leakage vulnerability, or by receiving content of this page via XSS, or by accessing admin panel via any vulnerability, it's possible to get login and password from e-mail account. Also, this functionality can be used as backdoor. When attacker's e-mail is set in options Writing Settings, from which the posts will be published at web site. With XSS code, with black SEO links, with malware code, etc. Can a CVE please be assigned to this? -- Regards, Ratul Gupta / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.