Legal Hackers security researcher Dawid Golunski has published details of an unauthorized password reset vulnerability in the WordPress core. Golunski demonstrated how, under certain circumstances, an attacker could intercept the password reset email and gain access to a user's account.

Its proof of concept takes advantage of WordPress using the variable SERVER_NAME to get the hostname of the server to create a header From / Return-Path outgoing password reset e-mail.

Major web servers like Apache set the SERVER_NAME variable by default using the hostname provided by the client (in the HTTP_HOST header):

Https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

Because SERVER_NAME can be modified, an attacker can configure it in an arbitrary domain of his choice, for example:

Attackers-mxserver.com

Which would give WordPress the $ from_email configuration to

[email protected]

And so causes an outgoing email with the Return / Return-Path path on that malicious address.

The results of this particular attack would depend on the server environment, the specific configuration of the mail server, and in some cases would require user interaction. Golunski's report includes a more specific breakdown of possible methods that could be used.

After reporting the issue to the WordPress security team in July 2016 and also through the Website HackerOne, Golunski saw no progress and decided to publish details of the vulnerability to the public.

While there is no official patch yet, WordPress security star Aaron Campbell has said the issue is not as serious as it can be.

« It's a lower priority issue, but we're aware of it and it's in our queue“Said Campbell. He explained the unique set of conditions that would be required for this to be a serious vulnerability.

« For the issue to have an impact on security, a server must allow a user-supplied header to override $ _SERVER ['SERVER_NAME']“Said Campbell. "We consider that the server configuration is insufficient (such as 'display_errors' if applicable on a production server), which is unfortunately beyond our control."

Campbell has tested his personal Apache and nginx servers and none of them have been licensed for this. In addition to having a misconfigured server, Campbell said that one of the following actions should also occur:

  • A user must reply to a password reset email
  • An automatic reply must reply to the email and include the original
  • An email server must be compromised or overloaded and the message returned to the sender with the contents intact

« If your server is vulnerable and you don't have the ability to fix the server configuration, you still don't have to make any changes to the WordPress files to alleviate the problem.“Said Campbell. "A bit of PHP like this in a plugin will define a static email address of your choice:"

add_filter ('wp_mail_from', function ($ from_email) {return '[email protected]'; });

Campbell said any changes WordPress makes to the kernel will likely be via a ticket that currently tracks the issue with no security perspective. He said a fix is ​​unlikely to come in the next security release, but the team is actively working on it. If they find a good mitigation for the problem, Campbell said they will share it once they work out all the potential ramifications.

And you ? What do you think of this vulnerability?