Zero-day Vulnerabilities in Wordpress and Vanilla Forums Allow You to Remotely Crack Sites
The data about critical vulnerabilities in WordPress were published - they allow remote execution of shell commands and resetting the administrator password through the substitution of the Host header. In addition, there has been described two similar critical vulnerabilities in the open source Vanilla Forums.
The detected vulnerability (CVE-2017-8295) affects all versions of WordPress, including build 4.7.4. The information about security problems has repeatedly been passed to WordPress developers, but they have not issued a formal fix yet.
The attack is described in detail in a particular security bulletin. Its essence is to use a logical error in the WordPress password recovery mechanism. When a user requests such a change, WordPress generates a unique secret code and sends it to an email that is stored in the database.
When the message is sent, the SERVER_NAME variable is used to get the hostname of the server. This is necessary to set the values in the From/Return-Path fields. The From field stores the sender's address, and the "Return-Path" stores the address to which the 'bounce-back' messages should be delivered, they are generated in case of sending failure.
An attacker can send a special HTTP request with a pre-set hostname (for example, attacker-mxserver.com) and simultaneously initiate a password reset process for a user - for instance, a site administrator.
Since the host name in the HTTP request is the domain controlled by the attacker, the From and Return-Path fields in the password reset email will be changed so that they include the email address associated with the hacker's domain - for example, firstname.lastname@example.org instead of email@example.com.
The letter with the code for resetting the password will still be sent to the victim's address, however, only under certain conditions, the attacker can get it.
- If the victim responds to the email, the response will already be sent to the attacker's address (it is now stored in the From field), and the link to reset the password will be saved in the correspondence history.
- If for some reason, the message is not delivered to the victim, the failure message will be automatically forwarded to the attacker's address (it is specified in the Return-Path).
- Another possible scenario is that in order for the original message not to be delivered to the victim, an attacker can conduct a DDoS attack on the target user's email server or send a large number of emails to his address, ensuring that the mailing address can no longer receive messages. This will cause the delivery to fail, and a message will be delivered to the attacker.
Manipulations with the SERVER_NAME header using the Host HTTP header can be performed on the default settings of the Apache web server, which is most often used to deploy WordPress.
Since there is no official patch for closing the vulnerability, it's recommended to site administrators of WordPress updating the configuration by activating the UseCanonicalName option, which will set the static value of SERVER_NAME and make the attack impossible.
What's wrong with Vanilla Forums
The data about two critical vulnerabilities in the popular open source software Vanilla Forums was published. The first one (CVE-2016-10033) paves the possibility of remote code execution, and the second one (CVE-2016-10073) is similar to the vulnerability in WordPress and allows to conduct attacks to intercept messages to reset the password. For both errors, there is currently no patch. The latest version of Vanilla Forums 2.3 is also vulnerable.
The possibility of remote execution of shell commands appeared in the Vanilla Forums because the developers of the product still use the vulnerable version of the popular open source library PHPMailer for sending email messages. The vulnerabilities were discovered in January 2017 and passed to the developers, the errors were not corrected, and the information about them was published. A similar vulnerability was previously discovered by the Wordpress researcher.
Last year, the researcher reported on the detection of a critical vulnerability (CVE-2016-10033) in the PHPMailer library, which allows remote execution of shell commands in the context of the web server - this leads to compromising of the attacked web application.
The vulnerability can be exploited even if the Vanilla Forums is installed on the Apache web server with several V hosts enabled, and the attacked software itself is not the default virtual host.
Until the developers of Vanilla Forums have released the update, it's recommended to site administrators to set the sender's email address as a predefined static value - this will block the use of Host headers.