The vulnerability, which allows to gain control of WordPress through password reset form
By Prempal Singh
In the WordPress web-content management system revealed the vulnerability ( the CVE-2017-8295 ), allowing us to obtain control of the account through the manipulation of the password reset form.
In particular, an attacker can not pass the required authentication arrange to send letters to the owner of the account with the password reset code and controlled email in the sender field (From / Return-Path). Despite the fact that the vulnerability information is sent to WordPress developers several times (the first notice was sent in the summer of last year), the problem still remains uncorrected and manifests itself in all WordPress versions, including the latest release 4.7.4.
The possibility of substituting its value email sender due to the fact that WordPress generates the contents of the fields From and Return-Path on the basis of the variable $ _SERVER [ ‘SERVER_NAME’], the value of which in most http-server is formed on the basis of HTTP-heading «Host:», which is passed during the request. If the site is based on WordPress is the main host in the configuration of http-server, an attacker can send a request to the password reset form substituting «Host:» controlled by the domain name that will be used as part of the sender’s address (wordpress@domain).
In order to get the code to reset the email is necessary that a letter sent by the owner of the account has been forwarded to the address of the sender. For example, it is possible to organize a DoS-attack against the user’s mail server and sending a large portion of the letters make it overflow the mailbox or exceed quotas. In conditions when the box is full, a message with a password-reset code will be returned to the sender with a notification of non-delivery. Another option is to carry out an attack on users who use voice mail. Attacker to wait when the answering machine is activated sufficiently (e.g., the user would go on vacation or a business trip), and initiate sending letters to a password reset code, which returns the address of the sender with the notification from the voice mailbox.