Danger: Easy to see Postie users password | WordPress.org

Resolved shenry
(@shenry)

12 years, 2 months ago

While Google searching for more information about the meaning of a term used in Postie set-up, “Set to no if using markdown or textitle syntax.” The search revealed the set up/password pages fro several sites using Postie. For example: http://www.familywealthmatters.com/wp-content/plugins/postie/config_form.php

http://www.zesti.net/wp-content/plugins/postie/config_form.php

It seems that by simply adding “wp-content/plugins/postie/config_form.php” to the end of a URL will show the email users and passwords.

http://wordpress.org/extend/plugins/postie/

Viewing 3 replies - 1 through 3 (of 3 total)

DonDieselkopf
(@dondieselkopf)

12 years, 2 months ago

I cannot confirm this bevahiour. The version installed is 1.4.3. Navigating to this address does not show any passwords or the like.

johnnytucats
(@johnnytucats)

12 years, 1 month ago

I went to the first link and got the php page “Postie Options” showing all of the settings including the password. Yes…Danger!

Thanks for this post…I’ll pass on Postie.

DonDieselkopf
(@dondieselkopf)

12 years, 1 month ago

Common guys, calm down! This has long been solved. Look at the readme files:

http://www.familywealthmatters.com/wp-content/plugins/postie/readme.html
http://www.zesti.net/wp-content/plugins/postie/readme.txt

They are both running some outdated versions “1.3.testing (2009.06.xx)” and “1.2.3 (2009.05.17)”.

Check this with the most recent Postie version 1.4.3 – it’s completely safe.

How about passing this on to the two vulnerable sites quoted?

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Danger: Easy to see Postie users password’ is closed to new replies.

Tags

password

In: Plugins
3 replies
3 participants
Last reply from: DonDieselkopf
Last activity: 12 years, 1 month ago
Status: resolved