Polish security researcher, Dawid Golunski of Legal hackers discovered a WordPress vulnerability that could potentially allows actors to reset the targeted victim’s password under certain circumstances. Last year in July, this researcher discovered the vulnerable flaw (CVE-2017-8295) and reported it to WordPress security team twice. But the they ignored the issue. But now, it has been found that it is more dangerous than we think. The logical fl aw would affect all versions of WordPress including the latest 4.7.4 version. Today, Golunski wrote in an advisory report that ,’This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website. As there has been no progress, in this case, this advisory is finally released to the public without an official patch.’

Behind the flaw:

When WordPress users send a request to reset his/her password via forget password option. The security team instantly sends an unique secret code generated for the specifi c user to the mail id attached to the account. While sending email to the user, it uses a variable called SERVER_ NAME to get the hostname of the server to create From/Return-Path header for outgoing password. And in this area, from and return path’s will be modifi ed by the attacker to an arbitrary domain of his/ her choice. As a result, the header will be changed to malicious address. Also, the attacker is able to intercept the mail containing the password reset link with or without user’s interaction. To be simple, the attacker changes the email header to his/her own choice such as wordpress@attacker-mxserver. com, instead of wordpress@victimdomain.com.

The user has to note that password reset email will be delivered to victim’s email address only. But the modification of header leads the attacker to receive reset code under following scenarios:

*If the user replies the reset email, the response will too deliver to attacker email ID, along with the password reset link in the message history.

*If the attacker conducts DDOS attack holding large number of phishing mails to the victim account, then automatically the server gets down. And no longer the user gets mail.

*In another way, if the victim’s email server is down, the password reset email will automatically bounce to the email address of the attacker which is mentioned in ‘Return-Path’ field.

How will the reset mail be?

Subject: [CompanyX WP] Password Reset

Return-Path: <wordpress@attackers-mxserver.com>

From: WordPress <wordpress@attackers-mxserver.com>

Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>

X-Priority: 3

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Someone requested that the password be reset for the following account:

http://companyX-wp/wp/wordpress/

Username: admin

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:

<http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin>

The above mentioned message is an example for the flaw. Regarding the solution, the researcher mentioned as, ‘No official solution available. As a temporary solution users can enable ‘UseCanonicalName’ to enforce static SERVER_NAME value.’

#WordPressFlaw #DDOSattack #Legalhackers