The vulnerability (CVE-2017-8295) becomes fifty-fifty to a greater extent than unsafe afterward knowing that it affects all versions of WordPress — including the latest 4.7.4 version.
The WordPress flaw was discovered yesteryear Polish safety researcher Dawid Golunski of Legal Hackers lastly twelvemonth inwards July together with reported it to the WordPress safety team, who decided to ignore this issue, leaving millions of websites vulnerable.
"This number has been reported to WordPress safety squad multiple times amongst the kickoff written report sent dorsum inwards July 2016. It was reported both involve via safety contact email, equally good equally via HackerOne website," Golunski wrote inwards an advisory published today. "As in that place has been no progress, inwards this case, this advisory is finally released to the populace without an official patch."Golunski is the same researcher who discovered a critical vulnerability inwards the pop opened upward origin PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code inwards the context of the spider web server together with compromise the target spider web application.
The vulnerability lies inwards the agency WordPress processes the password reset request, for the user it has been initiated.
In general, when a user requests to reset his/her password through forgot password option, WordPress at 1 time generates a unique hole-and-corner code together with sends it to user’s e-mail ID already stored inwards the database.
What's the Vulnerability?
While sending this email, WordPress uses a variable called SERVER_NAME to obtain the hostname of a server to laid values of the From/Return-Path fields.
According to Golunski, an aggressor tin give the axe ship a spoofed HTTP asking amongst a predefined custom hostname value (for illustration attacker-mxserver.com), piece initiating password reset procedure for a targeted admin user.
Since the hostname inwards the malicious HTTP asking is an attacker-controlled domain, the From together with Return-Path fields inwards the password reset e-mail volition live modified to include an e-mail ID associated amongst the attacker's domain, i.e. wordpress@attacker-mxserver.com, instead of wordpress@victim-domain.com.
"Because of the modified HOST header, the SERVER_NAME volition live laid to the hostname of attacker's choice. As a result, Wordpress volition plow over off the next headers together with e-mail trunk to the /usr/bin/sendmail wrapper," Golunski says.Don't larn confused here: You should banking concern notation that the password reset e-mail volition live delivered to victim's e-mail address only, but since the From together with Return-Path fields at nowadays signal to attacker's e-mail ID, the aggressor tin give the axe equally good have reset code nether next scenarios:
- If, inwards case, the victim replies to that email, it volition live delivered to aggressor e-mail ID (mentioned inwards 'From' field), containing a password reset link inwards the message history.
- If, for about reason, victim's e-mail server is down, the password reset e-mail volition automatically bounce-back to the e-mail address mentioned inwards "Return-Path" field, which points to the attacker's inbox.
- In about other possible scenario, to forcefully recollect bounce-back email, the aggressor tin give the axe perform a DDoS laid on against the victim's e-mail server or ship a large number of emails, then that the victim's e-mail trouble organisation human relationship tin give the axe no longer have whatever email.
"The CVE-2017-8295 laid on could potentially live carried out both amongst user interaction (the user hitting the 'reply' push clit scenario), or without user interaction (spam victim's mailbox to top their storage quota)," Golunski told The Hacker News inwards an email.For obvious reason, this is non a sure enough shot method, but inwards the illustration of targeted attacks, sophisticated hackers tin give the axe grapple to exploit this flaw successfully.
Another notable fact on which successful exploitation of this flaw depends is that, fifty-fifty if WordPress website is flawed, non all spider web servers let an aggressor to alter hostname via SERVER_NAME header, including WordPress hosted on whatever shared servers.
"SERVER_NAME server header tin give the axe live manipulated on default configurations of Apache Web server (most mutual WordPress deployment) via HOST header of an HTTP request," Golunski says.Since the vulnerability has at nowadays been publically disclosed amongst no patch available from the pop CMS company, WordPress admins are advised to update their server configuration to enable UseCanonicalName to enforce static/predefined SERVER_NAME value.
