You are here: Home » NewsFeeds » WordPress Core up to 4.7.4 – Potential Unauthorized Password Reset

WordPress Core up to 4.7.4 – Potential Unauthorized Password Reset

====================================================
– Discovered by: Dawid Golunski (@dawid_golunski)
– dawid[at]legalhackers.com
– https://legalhackers.com
– ExploitBox.io (@Exploit_Box)

– CVE-2017-8295
– Release date: 03.05.2017
– Revision 3.0
– Last update: 04.05.2017
– Severity: Medium/High
====================================================

I. VULNERABILITY
————————-

WordPress Core

——————————-

As we can see, fields Return-Path, From, and Message-ID, all have the attacker’s
domain set.

The verification of the headers can be performed by replacing /usr/sbin/sendmail with a
bash script of:

#!/bin/bash
cat > /tmp/outgoing-email

VI. BUSINESS IMPACT
————————-

Upon a successfull exploitation, attacker may be able to reset user’s password
and gain unauthorized access to their WordPress account.

VII. SYSTEMS AFFECTED
————————-

All WordPress versions up to the latest 4.7.4

VIII. SOLUTION
————————-

No official solution available. As a temporary solution users can enable
UseCanonicalName to enforce static SERVER_NAME value

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

This issue has been reported to WordPress security team multiple times
with the first report sent back in July 2016. It was reported both directly
via security contact email, as well as via HackerOne website.

As there has been no progress in this case , this advisory is finally
released to the public


 

Original article