WordPress.org

Ready to get started?Download WordPress

Forums

Postie
Danger: Easy to see Postie users password (4 posts)

  1. shenry
    Member
    Posted 2 years ago #

    While Google searching for more information about the meaning of a term used in Postie set-up, "Set to no if using markdown or textitle syntax." The search revealed the set up/password pages fro several sites using Postie. For example: http://www.familywealthmatters.com/wp-content/plugins/postie/config_form.php

    http://www.zesti.net/wp-content/plugins/postie/config_form.php

    It seems that by simply adding "wp-content/plugins/postie/config_form.php" to the end of a URL will show the email users and passwords.

    http://wordpress.org/extend/plugins/postie/

  2. DonDieselkopf
    Member
    Posted 2 years ago #

    I cannot confirm this bevahiour. The version installed is 1.4.3. Navigating to this address does not show any passwords or the like.

  3. johnnytucats
    Member
    Posted 2 years ago #

    I went to the first link and got the php page "Postie Options" showing all of the settings including the password. Yes...Danger!

    Thanks for this post...I'll pass on Postie.

  4. DonDieselkopf
    Member
    Posted 2 years ago #

    Common guys, calm down! This has long been solved. Look at the readme files:

    http://www.familywealthmatters.com/wp-content/plugins/postie/readme.html
    http://www.zesti.net/wp-content/plugins/postie/readme.txt

    They are both running some outdated versions "1.3.testing (2009.06.xx)" and "1.2.3 (2009.05.17)".

    Check this with the most recent Postie version 1.4.3 - it's completely safe.

    How about passing this on to the two vulnerable sites quoted?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic