WordPress Potential Unauthorized Password Reset (CVE-2017-8295)

Published by root on

WordPress Potential Unauthorized Password Reset

 

On 3 May, WordPress was exposed there is a security risk. A new vulnerability (CVE-2017-8295) was found to exist in all WordPress versions. The vulnerability from WordPress in the creation of password reset e-mail will use the client to send the contents of the SERVER_NAME variable to form the sender’s e-mail address. If you know the administrator or any target user’s email address, you can first send a large number of e-mail and other methods so that the target mailbox can not be properly received, and then forged a mailing mailbox to the target mailbox to initiate a reset password request, the message will Because the target mailbox can not be properly received and returned to the attacker control of the mailbox, the attacker can be in the bounce message to obtain a reset password link, thus resetting any user’s account password. The vulnerability WordPress official has not yet had any fix updates.

Affected version

WordPress Version <= 4.7.4

Note: All current WordPress versions (including the latest version 4.7.4) are affected.

Vulnerability

WordPress reset password function from the server to the user when the mailbox to send e-mail, if the attacker can get the contents of this message, you can reset the password link to modify the user password.

Use the same principle and the previous vulnerability, the attacker can request the header through the HOST “sender” mailbox is set to the attacker’s own address, under certain conditions can get the contents of this message and reset the user password.

The author gives three scenarios:

  1. If the attacker knows the mailbox registered by the admin user in advance, the mailbox address can be attacked by DoS means (sending large file/attack DNS server), causing the password reset mail to be rejected or unable to be delivered. At this time, “Bounce” will be sent to the address constructed by the attacker.
  2. The “autoresponder” feature of some mailboxes will return the contents of the message as an attachment to the sender.
  3. Repeatedly sent to reset the password to the destination mailbox, forcing the user to reply to the situation, the contents of the reply will generally refer to the previous message body.

So far feel very difficult to use, see social workers who can give a new posture.
PoC HTTP Request

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
user_login=admin&redirect_to=&wp-submit=Get+New+Password

Temporary protection method

Currently WordPress official no related repair and update, the user can take the following temporary protection program:

The user can turn on UseCanonicalName to force the static SERVER_NAME value.

Reference

Loading

Categories: News
Tags:

Related Posts

News

Hackers bypassed Galaxy S10 ultrasonic biometric fingerprint scanner

There are security vulnerabilities in the Samsung Galaxy S10 ultrasonic biometric fingerprint scanner, and hackers can use the 3D printed fingerprint of the mobile phone user to pass the verification. The Samsung S10 and S10+ use ultrasonic Read more…

News

1Password Will Give You $100,000 If You Can Crack Its Vault

AgileBits, the developer behind 1password is ready to pay you a bug bounty of $100,000 if you can break into their vault nd obtain a plain text file of “bad poetry.” Earlier, a “capture the Read more…

News

Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack. The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, Read more…