Zero Day Vulnerabilities in WordPress & Vanilla Forums Allow Remote Hacking of Sites
Information security researcher Dawid Golunski published data on critical vulnerabilities in WordPress – they allow remote execution of shell commands and resetting the administrator’s password through the substitution of the Host header. In addition, the researcher described two similar critical vulnerabilities in the open product Vanilla Forums.
The detected vulnerability in (CVE-2017-8295) affects all versions of WordPress, including version 4.7.4. According to the researcher, he repeatedly passed on information about security problems to product developers, but they have not yet issued an official correction.
- The attack is described in detail in a special security bulletin published by Golunski. Its essence is to use a logical error in the WordPress password recovery mechanism. When a user requests such a change, WordPress generates a unique secret code and sends it to an email that is stored in the database.
- When you send this message, the SERVER_NAME variable is used to get the hostname of the server – this is necessary to set the values in the From / Return-Path fields. The “From” field stores the sender’s address, and in the “Return-Path” – the address to which the messages ‘bounce-back’ should be delivered, they are generated in case of sending failure.
According to Golunski, an attacker can send a special HTTP request with a pre-set hostname (for example, attacker-mxserver.com) and simultaneously initiate a password reset process for a user – for example, the site administrator.
- Since the host name in the HTTP request is the domain controlled by the attacker, the From and Return-Path fields in the password reset mail will be changed so that they include the email address associated with the hacker’s domain – for example, WordPress@attacker-mxserver.com instead of firstname.lastname@example.org.
- A letter with the code for resetting the password will still be sent to the victim’s address, however, under certain conditions, the attacker can get it.
- If the victim responds to the email, the response will already be sent to the attacker’s address (it is now stored in the From field), and a link to reset the password will be saved in the correspondence history.
For some reason, the message is not delivered to the victim, the failure message will be automatically forwarded to the attacker’s address (it is specified in the Return-Path).
- Another possible scenario is that in order for the original message not to be delivered to the victim, an attacker can conduct a DDoS attack on the target user’s email server or send a large number of emails to his address, ensuring that the mailing address can no longer receive messages. This will cause the delivery to fail, and a message will be delivered to the attacker.
Manipulations with the SERVER_NAME header using the Host HTTP header can be performed on the “default” settings of the Apache web server, which is most often used to deploy WordPress.
Since there is no official patch for closing the vulnerability, site administrators on WordPress recommend updating the configuration by activating the UseCanonicalName option, which will set the static value of SERVER_NAME and make the attack impossible.
What’s wrong with Vanilla Forums
A week after detecting a security error in WordPress, Golunski also published information about two critical vulnerabilities in the popular open source software Vanilla Forums. The first one (CVE-2016-10033) opens the possibility of remote code execution, and the second one (CVE-2016-10073) is similar to the vulnerability in WordPress and allows to conduct attacks to intercept messages to reset the password. For both errors, there is currently no patch. Vulnerable including the latest version of Vanilla Forums 2.3, the researcher is confident that previous versions are also vulnerable.
- According to Golunski, the possibility of remote execution of shell commands appeared in the Vanilla Forums because the developers of the product still use the vulnerable version of the popular open source library for sending email messages to PHPMailer. The researcher discovered vulnerabilities in January 2017 and passed on the information to the developers, the errors were not corrected and after about five months Golunski published information about them. A similar vulnerability was previously discovered by the researcher in WordPress.
Last year, the researcher reported on the detection of a critical vulnerability (CVE-2016-10033) in the PHPMailer library, which allowed remote execution of shell commands in the context of a web server this leads to compromise of the attacked web application. Golunski also prepared a video, from which it becomes clear that an old exploit for PHPMailer is suitable for attacking Vanilla Forums.
- The researcher notes that the vulnerability can be exploited even if Vanilla Forums is installed on the Apache web server with several included host’s, and the attacked software itself is not the default virtual host.
- Until the developers of Vanilla Forums have released the update, Golunski recommends site administrators who use this software to set the sender’s email address as a pre-defined static value – this will block the use of Host headers.
To prevent attacks using the described vulnerabilities of WordPress and Vanilla Forums, Positive Technologies experts recommend using specialized security tools – in particular, the application-level security screen PT Application Firewall allows you to reflect attempts to exploit these security errors.