Alert: WordPress has a flaw that is yet to be plugged

By Balamurugan Selvaraj Published on May 05, 2017 08:04 PM IST

Polish security researcher, Dawid Golunski of Legal Hackers, discovered a WordPress vulnerability that could potentially allow actors to re-set the targeted victim’s password under certain circumstances.

In July last year, this researcher discovered the vulnerable flaw (CVE-2017-8295) and reported it to WordPress security team twice. But the they ignored the issue. Now, it has been found that it is more dangerous than we think.

The logical flaw would affect all versions of WordPress including the latest 4.7.4 version. Today, Golunski wrote in an advisory report that "This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website. As there has been no progress, in this case, this advisory is finally released to the public without an official patch."

BEHIND THE FLAW

When WordPress users send a request to re-set his / her password via forget password option, the security team instantly sends a unique secret code generated for the specific user to the mail ID attached to the account. While sending email to the user, it uses a variable called SERVER_ NAME to get the hostname of the server to create From/Return-Path header for outgoing password.

And in this area, from and return paths will be modified by the attacker to an arbitrary domain of his/ her choice. As a result, the header will be changed to malicious address. Also, the attacker is able to intercept the mail containing the password re-set link with or without user’s interaction.

To be simple, the attacker changes the email header to his / her own choice such as [email protected] com, instead of [email protected] The user has to note that password re-set email will be delivered to victim’s email address only.

But the modification of header leads the attacker to receive re-set code under following scenarios: If the user replies to the re-set email, the response will too deliver to attacker email ID, along with the password re-set link in the message history.

If the attacker conducts DDOS attack holding large number of phishing mails to the victim account, then automatically the server gets down. And no longer the user gets mail. In another way, if the victim’s email server is down, the password re-set email will automatically bounce to the email address of the attacker which is mentioned in ‘Return-Path’ field.

ALERT TO BLOGGERS

How will the re-set mail be? Subject: [CompanyX WP] Password Reset Return-Path: <[email protected]> From: WordPress <[email protected] attackers-mxserver.com=""> Message-ID: <[email protected]> X-Priority: 3 MIME-Version: 1.0 C o n t e n t - T y p e : t e x t / p l a i n ; charset=UTF-8 Content-Transfer-Encoding: 8bit Someone requested that the password be reset for the following account: http://companyX-wp/wp/ wordpress/ Username: admin If this was a mistake, just ignore this email and nothing will happen. To reset your password, visit the following address: The above mentioned message is an example for the flaw.

Regarding the solution, the researcher mentions, ‘No official solution available. As a temporary solution, users can enable ‘UseCanonicalName’ to enforce static SERVER_NAME value.’