WordPress Password Reset CVE-2017-8295 Security Bypass Vulnerability

by CIRT Team

Description: WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Note that the password reset email will be delivered to victim’s email address only, but since the From and Return-Path fields now point to attacker’s email ID, the attacker can also receive reset code under following scenarios:

1. If, in case, the victim replies to that email, it will be delivered to attacker email ID (mentioned in ‘From’ field), containing a password reset link in the message history.
2. If, for some reason, victim’s email server is down, the password reset email will automatically bounce-back to the email address mentioned in “Return-Path” field, which points to the attacker’s inbox.
3. In another possible scenario, to forcefully retrieve bounce-back email, the attacker can perform a DDoS attack against the victim’s email server or send a large number of emails, so that the victim’s email account can no longer receive any email.

Impact:  Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. WordPress 4.7.4 and prior are vulnerable.

Mitigation:  No official solution is still available. As a temporary solution users can enable UseCanonicalName to enforce static SERVER_NAME value (https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname)

Reference URL’s:

• https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
• https://www.bleepingcomputer.com/news/security/wordpress-zero-day-could-expose-password-reset-emails/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
• http://www.securityfocus.com/bid/98295/info

CIRT Team

Recommended Posts

Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh

06 Nov 2024 - Security Advisories & Alerts

Emerging Threat_Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

08 Oct 2024 - Security Advisories & Alerts

Detection of Fog Ransomware Footprint in Cyber Space of Bangladesh

12 Sep 2024 - Security Advisories & Alerts