[wp-trac] [WordPress Trac] #42967: New admin email change featuer should be rolled back

Sat Dec 23 01:25:51 UTC 2017

#42967: New admin email change featuer should be rolled back
-----------------------------+------------------------------
 Reporter:  johndeebdd       |       Owner:
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:  4.9
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+------------------------------

Comment (by johndeebdd):

 Thank you Clorith. I don't think I'm making myself clear. This is an issue
 for sysadmins, not shared hosting customers. I'll summarize:

 This is a NEW feature, nothing to do with how emails work. The new feature
 is that as of 4.9, when you change the admin email in a single site, you
 must confirm the email before the change takes place, like when a new user
 registers. But this new action restriction is placed on a LOGGED IN ADMIN.

 The stated purpose of this new feature, as per the announcement, is "The
 intention is to make it more difficult for an attacker to take over a user
 account or a site by changing the email address associated with the user
 or the site, and also to reduce the chance of a mistaken or erroneous
 change causing you to get locked out."

 The author of this feature thought he was confirming if the recipient
 email is valid. That's only half true. It's also inadvertently testing if
 the server can SEND emails. I don't think that was considered. In other
 words, for the admin to do this action, he has to be logged in via the
 normal WordPress auth cookie AND the server has to successfully connect to
 outgoing SMTP. This is the absolute only setting in WordPress that
 requires the system to also have credentials to an outside service not
 listed in the wp-config.php file. SMTP is, by definition, an outside
 service, and admin actions shouldn't be restricted in a new way like this.
 Additionally, it doens't actually provide the protection it thinks it
 does, since a logged in admin can run arbitrary code and alter the site
 email anyway.

 Also note that many applications use WordPress without having access to
 outgoing mail. Now they cannot change the admin email of the site.

 It seems the initial desire was to improve security. It doesn't do that,
 but it DOES create new restrictions on how WordPress can be installed and
 used. Previously, an admin could change the site's email. Now the admin
 must have outgoing SMTP access to do this, and that access is controlled
 outside of WordPress, but WordPress still relies on it. All the while
 still allowing this logged in user to run arbitrary code and defeat the
 new restriction in any case.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42967#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform