On Wednesday, the popular security experts Dawid Golunski reported a WordPress Password Reset vulnerability, tracked as CVE-2017-8295, and detailed it in a security advisory.
Golunski classified the flaw as a “medium/high severity,” he explained that the issue is caused by the fact that WordPress uses a variable named SERVER_NAME to obtain the hostname of a server when setting the From/Return-Path header in password reset emails sent to users.
The value of the SERVER_NAME variable is often set using the hostname supplied by the client via the HTTP_HOST header, Golunski discovered that an attacker can inject an arbitrary domain by sending a specially crafted request to the targeted WordPress website.
“WordPress is using SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email. However, major web servers such as Apache by default set the SERVER_NAME variable using the hostname supplied by the client (within the HTTP_HOST header): https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname” reads the security advisory.
“Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g: attackers-mxserver.com which would result in WordPress setting the $from_email to firstname.lastname@example.org and thus result in an outgoing email with From/Return-Path set to this malicious address.”
Summarizing, an attacker can force a password reset by sending a specially crafted request to the targeted WordPress site, the request will include as the hostname the name of a domain controlled by the attacker, meanwhile the From and Return-Path fields in the password reset email sent to the victim will specify an email address on the attacker’s domain.
Once the targeted user receives the password reset link, there are several methods the attacker can use to obtain it now that the From and Return-Path fields point to their domain.
The attacker can make the victim’s email account unusable, for example via an attack on its DNS server or by sending it large files until to saturate its capacity.
When the victim’s email account stop receiving messages, the password reset email is returned to the sender’s recipient) the attacker’s email account as it is specified in the From and Return-Path fields.
In the case an autoresponder is enabled on the victim’s email account, the attacker will easily obtain a copy of the password reset email includes in the automatic reply.
Another option is to send a large number of password reset emails to the victim, hoping the victim will reply one of them with an email that likely includes the password reset link.
Below the three scenarios described by Golunski:
The Password Reset vulnerability affects all versions of WordPress, including the 4.7.4 version released a couple of weeks ago.
Golunski reported the flaw hole to WordPress several times since July 2016, but in an absence of a concrete action, he decided to disclose it.
Golunski has suggested a temporary solution to enable UseCanonicalName to enforce a static SERVER_NAME value https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname
On a specific thread on Reddit users discussed possible temporary countermeasures, such as the use of as a utility that notifies users when users reset passwords.
(Security Affairs – WordPress, Password Reset vulnerability)