WordPress Security Issue in Password Reset Emails to Be Fixed in Future Release

Security researcher Dawid Golunski of Legal Hackers has published the details of an unauthorized password reset vulnerability in WordPress core. Golunski demonstrated how, under certain circumstances, an attacker could intercept the password reset email and gain access to a user’s account.

His proof of concept takes advantage of WordPress using the SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email.

Major web servers such as Apache by default set the SERVER_NAME variable using the hostname supplied by the client (within the HTTP_HOST header):

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g:

attackers-mxserver.com

which would result in WordPress setting the $from_email to

wordpress@attackers-mxserver.com

and thus result in an outgoing email with From/Return-Path set to this malicious address.

The results of this particular attack would depend on the server environment, the specific configuration of the mail server, and in some cases would require interaction from the user in question. Golunski’s report has a more specific breakdown of the possible methods that could be employed.

After reporting the issue to the WordPress security team in July 2016 and also via the HackerOne website, Golunski saw no progress on it and decided to release the vulnerability details to the public.

Although there is no official patch yet, WordPress Security Czar Aaron Campbell said the issue is not quite as severe as it may seem.

“It’s a lower priority issue, but we are aware of it and it is in our queue to address,” Campbell said. He explained the unique set of conditions that would be required in order for this to be a serious vulnerability.

“In order for the issue to have a security impact, a server needs to allow a user-supplied header to overwrite $_SERVER['SERVER_NAME'],” Campbell said. “We would consider that a poor server configuration (like leaving display_errors on on a production server), which is unfortunately outside our control.”

Campbell tested his personal Apache and nginx servers and none of them allowed for this. In addition to having a poorly configured server, Campbell said one of the following actions also needs to happen:

  • a user needs to reply to a password reset email
  • an auto-reply needs to reply to the E-Mail and include the original
  • an E-Mail server has to be compromised or overloaded and the message returned to sender with content intact

“If your server is susceptible and you don’t have the ability to fix the actual server configuration, you still don’t have to make changes to WordPress files to mitigate the issue,” Campbell said. “A little PHP like this in a plugin will set the from E-Mail to a static E-Mail address of your choice:”

add_filter( 'wp_mail_from', function( $from_email ) { return 'wordpress@mysite.com'; } );

Campbell said any changes WordPress makes to core will likely be done via a ticket that is currently tracking the issue from a non-security perspective. He said a fix is mostly likely not going to be coming in the next security release, but the team is actively working on it. If they find a good mitigation for the issue, Campbell said they will share it once they have worked through all the potential ramifications.

There are 12 comments

Your email address will not be published. Required fields are marked *