[wp-trac] [WordPress Trac] #42967: New admin email change featuer should be rolled back

WordPress Trac noreply at wordpress.org
Sat Dec 23 16:03:17 UTC 2017 

#42967: New admin email change featuer should be rolled back
-----------------------------+------------------------------
 Reporter:  johndeebdd       |       Owner:
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:  4.9
 Severity:  normal           |  Resolution:
 Keywords:  close            |     Focuses:
-----------------------------+------------------------------

Comment (by johndeebdd):

 > Here's the current flow:
 >
 > - User is registered with the email address `username at hotmail.com`
 > - User goes into their profile page in the WordPress admin
 > - User edits the ''email'' field and changes it to `username at gmail.com`
 > - WordPress sends an email to **`username at gmail.com`** with a link to
 click to confirm the address change
 > - User clicks the link in the email to change their address
 > - WordPress sends an email to `username at hotmail.com` with information
 that the address has now been changed to `username at gmail.com`
 >
 > No access to the old address is required, it is merely included in the
 flow as a courtesy (and security precaution, in case of a malicious change
 the user is now made aware of that change) to inform of an already
 completed change.
 >
 > ---
 >
 > Honestly, for the vast majority of users, this behavior isn't a problem
 (and for many, probably expected as most services you encounter these days
 require email verification on edits), as such I would say this is a
 `wontfix` issue, as the behavior can be controlled via filters and actions
 for those unhappy with the implementation, but will leave it open for
 final input by the implementing deveoper.
 >
 > The `send_email_change_email` filter will allow you to prevent sending
 the email, and also provides you with the data the user supplied, this can
 be used to override things and store the new email straight away.

 You're looking at it from the point of view of a shared hosting user.
 You're not looking at it from the point of view of a sys admin who has to
 install WordPress themselves. How can WordPress SEND an email if you don't
 have access to the OLD email? What if the OLD email was setup as
 "dummy at local.dev"? You don't need external SMTP to install WordPress, but
 as of now, you do infact need it to CHANGE the email. So you can install
 it fine, just not change it [yet you can run arbitrary code]. That's weird
 - and new, and a unique case in WordPress.

 Here is how WordPress is setup:
 - WordPress receives an HTTP request and is activated without wp-config
 and goes into install mode.
 - DB creds are entered, and the system asks the admin for an email WHICH
 IS NOT CONFIRMED, JUST ACCEPTED. I think this is the misunderstanding. You
 DO NOT need to confirm the initial admin email, and this is absolutely by
 design. i.e. localhost installs, single page apps. There are MANY uses of
 WordPress besides blogging on a shared host with email setup. I was
 brought here because this cause a problem in one of my apps.

 The CHANGE:
 Previously, admins could change the site email without a confirmation. For
 instance, they STILL can create users without email confirmation. The
 change is that they cannot change the site email. This is absolutely
 different from other emails, and doesn't make sense. It was made by
 someone who doesn't understand that on single sites, there is no "super
 admin", just "admin" who is the penultimate. The change assumes there is
 someone besides the "admin" who could control outgoing SMTP, this isn't
 the case.

 Questions:
 -------------------------------------
 What is the benefit to create this new restriction?
 Do you understand this is a NEW thing, that previously an admin could
 operate WordPress without restriction, and now this additional restriction
 has been made?
 -------------------------------------
 Do you understand this creates a new class of settings. This is the ONLY
 setting in WordPress which has this characteristic:
         -This setting cannot be changed by the logged in user with
 capabilities to in fact change it
         -This same user [a logged in single site admin] CAN run arbitrary
 code
         -This same user CAN still actually affect to change the setting,
 they just need to know PHP - this is a SERIOUS security flaw. A co-admin
 might assume another admin couldn't change the site email, since he can't.
 But the co-admin would be wrong! This is the only example of this in the
 system.
         -This setting requires external send SMTP to be changed by a
 logged in admin
 -------------------------------------
 Do you understand this is a CHANGE, that previously no setting existed
 with the characteristic?
 -------------------------------------
 Do you understand that if you install WordPress without external SMTP, you
 can never change the admin email within WordPress [but not really, because
 you can run arbitrary code]?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42967#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list