WordPress Password Reset CVE-2017-8295 Security Bypass Vulnerability
by CIRT Team
Description: WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Note that the password reset email will be delivered to victim’s email address only, but since the From and Return-Path fields now point to attacker’s email ID, the attacker can also receive reset code under following scenarios:
- If, in case, the victim replies to that email, it will be delivered to attacker email ID (mentioned in ‘From’ field), containing a password reset link in the message history.
- If, for some reason, victim’s email server is down, the password reset email will automatically bounce-back to the email address mentioned in “Return-Path” field, which points to the attacker’s inbox.
- In another possible scenario, to forcefully retrieve bounce-back email, the attacker can perform a DDoS attack against the victim’s email server or send a large number of emails, so that the victim’s email account can no longer receive any email.
Impact: Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. WordPress 4.7.4 and prior are vulnerable.
Mitigation: No official solution is still available. As a temporary solution users can enable UseCanonicalName to enforce static SERVER_NAME value (https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname)