HackDig : Dig high-quality web security articles for hacker

Security researcher disclosed a WordPress Password Reset Vulnerability

2017-05-05 03:00

A researcher reported a WordPress Password Reset vulnerability, tracked as CVE-2017-8295, and detailed it in a security advisory.

On Wednesday, the popular security experts Dawid Golunski reported a WordPress Password Reset vulnerability, tracked as CVE-2017-8295, and detailed it in a security advisory.

Golunski classified the flaw as a “medium/high severity,” he explained that the issue is caused by the fact that WordPress uses a variable named SERVER_NAME to obtain the hostname of a server when setting the From/Return-Path header in password reset emails sent to users.

The value of the SERVER_NAME variable is often set using the hostname supplied by the client via the HTTP_HOST header, Golunski discovered that an attacker can inject an arbitrary domain by sending a specially crafted request to the targeted WordPress website.

“WordPress is using SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email. However, major web servers such as Apache by default set the SERVER_NAME variable using the hostname supplied by the client (within the HTTP_HOST header): https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname” reads the security advisory.

“Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g: attackers-mxserver.com which would result in WordPress setting the $from_email to wordpress@attackers-mxserver.com and thus result in an outgoing email with From/Return-Path set to this malicious address.”

Summarizing, an attacker can force a password reset by sending a specially crafted request to the targeted WordPress site, the request will include as the hostname the name of a domain controlled by the attacker, meanwhile the From and Return-Path fields in the password reset email sent to the victim will specify an email address on the attacker’s domain.

Once the targeted user receives the password reset link, there are several methods the attacker can use to obtain it now that the From and Return-Path fields point to their domain.

The attacker can make the victim’s email account unusable, for example via an attack on its DNS server or by sending it large files until to saturate its capacity.

When the victim’s email account stop receiving messages, the password reset email is returned to the sender’s recipient) the attacker’s email account as it is specified in the From and Return-Path fields.

In the case an autoresponder is enabled on the victim’s email account, the attacker will easily obtain a copy of the password reset email includes in the automatic reply.

Another option is to send a large number of password reset emails to the victim, hoping the victim will reply one of them with an email that likely includes the password reset link.

Security researcher disclosed a WordPress Password Reset Vulnerability

Below the three scenarios described by Golunski:

  1. Attacker can perform a prior DoS attack on the victim’s email account/server (e.g by sending multiple large files to exceed user’s disk quota, attacking the DNS server etc) in order to prevent the password reset email from reaching the victim’s account and bounce back to the malicious sender address that is pointed at the attacker (no user interaction required).
  2. Some autoresponders might attach a copy of the email sent in the body of the auto-replied message (no user interaction required)
  3. Sending multiple password reset emails to force the user to reply to the message to inquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. (user interaction required)

The Password Reset vulnerability affects all versions of WordPress, including the 4.7.4 version released a couple of weeks ago.

Golunski reported the flaw hole to WordPress several times since July 2016, but in an absence of a concrete action, he decided to disclose it.

Golunski has suggested a temporary solution to enable UseCanonicalName to enforce a static SERVER_NAME value https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

On a specific thread on Reddit users discussed possible temporary countermeasures, such as the use of as a utility that notifies users when users reset passwords.

Pierluigi Paganini

(Security Affairs – WordPress, Password Reset vulnerability)

The post Security researcher disclosed a WordPress Password Reset Vulnerability appeared first on Security Affairs.


Source: lmth.ytilibarenluv-teser-drowssap-sserpdrow/gnikcah/94785/sserpdrow/oc.sriaffaytiruces

“Security researcher disclosed a WordPress Password Reset Vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud