lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 16 Dec 2013 20:09:17 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Information Leakage and Backdoor vulnerabilities
	in WordPress

Hello list!

As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), 
I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new 
vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at 
my site for your attention). And this is translation of the first part of 
these holes.

These are Information Leakage and Backdoor vulnerabilities in WordPress. 
Which I knew since June 2006 and they are still actual for all versions of 
WP.

-------------------------
Affected products:
-------------------------

Vulnerable are WordPress 3.7.1 and previous versions. And also WP 3.8, which 
was released at 14.12.2013 (since developers traditionally made their new 
version "vulnerabilities compatible").

----------
Details:
----------

Information Leakage (WASC-13):

The login and password from e-mail are saved in DB in plain text 
(unencrypted) in Writing Settings 
(http://site/wp-admin/options-writing.php), if this functionality is used. 
So by receiving data from DB via SQL Injection or Information Leakage 
vulnerability, or by receiving content of this page via XSS, or by accessing 
admin panel via any vulnerability, it's possible to get login and password 
from e-mail account.

Which allows to take over this site (including in the future, via password 
recovery function) and other sites, where there is password recovery 
function, which will send letters to this e-mail. Because an user may use 
his main e-mail account in the settings (I saw such cases in Internet). This 
is complete jackpot.

Backdoor:

This functionality also can be used as backdoor. When attacker's e-mail is 
set in options Writing Settings, from which the posts will be published at 
web site. With XSS code, with black SEO links, with malware code, etc.

------------
Timeline:
------------ 

2013.11.30 - disclosed at my site (http://websecurity.com.ua/6905/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ