CVE-2017-8295: WordPress Potential Unauthorized Password Reset

Created:

2017-05-15 05:13:47 UTC

Modified:

2017-08-16 16:49:15 UTC

1

Was this article helpful?


Have more questions?

Submit a request

CVE-2017-8295: WordPress Potential Unauthorized Password Reset

Applicable to:

  • Plesk for Windows
  • Plesk for Linux

Situation

CVE-2017-8295 vulnerability was found to exist in all WordPress versions, including the latest 4.7.5. The vulnerability described in details here .

WordPress uses SERVER_NAME variable, to get the hostname to create a From/Return-Path header for the password reset email. An attacker can make WordPress sent "Password Reset" email with From header forged by the attacker.

A Plesk website is affected if ALL of the following is true:

  • WordPress (any version, including the latest 4.7.5) is hosted.
  • The site is Default site for some IP address.
  • The site is served by Apache or IIS (websites served by nginx are not affected).

If a WordPress site is hosted in Plesk environment, an attacker cannot forge Return-Path header because Plesk mail system changes this header for outgoing email messages.

Impact

An attacker can initiate password reset of the WordPress account by email with From header forged by the attacker. In some cases such email can be intercepted and the account can be compromised. The affected scenarios are the following:

  • Some auto-responders might attach a copy of the email sent in the body of the auto-replied message.
    Note: Auto-responder set in Plesk do not send a body of the email.
  • The attacker can convince the user to reply to the email, for example by sending multiple password reset emails. The reply containing the password reset link would then be sent to the attacker. We strongly advise not to answer on such emails.

Mitigation

Workaround #1 (configure Apache)

If your WordPress is served by Apache, add UseCanonicalName directive to the Apache configuration:

  1. Go to Websites & Domains > Apache & nginx Settings > Additional Apache directives .
  2. Add the following configuration to both Additional directives for HTTP and Additional directives for HTTPS :

    UseCanonicalName On

Workaround #2 (use nginx)

PHP FPM applications server by nginx are not affected.

If you want to use PHP handler FPM application server by nginx , then:

  1. Go to Websites & Domains > PHP Settings .
  2. Set run PHP as to FPM application server by nginx .

Workaround #3 (do not use default site)

Only default site is affected. So:

  1. Go to Tools & Settings > IP Addresses .
  2. For every IP address: click it and set Default site to None .

    Note: after that, your cannot use the IP address to access the site.

Workaround #4 (WordPress plugin)

Upload and activate a plugin like the following:

  • Create a .php file with the content below and archive it as .zip file, replace YOUR_DOMAIN_NAME with the domain name where WordPress is installed:
         <?php

        /*
        Plugin Name: wp_mail_from
        Description: WordPress plugin that filters senders email address in mails sent by WordPress
        Author:
        Version: 1.0
        License:
        */
        
        add_filter('wp_mail_from', function ($from) {
            return 'wordpress@YOUR_DOMAIN_NAME';
        });
       
  • After that upload plugin from WordPress admin panel WordPress > Plugins > Add > Upload .
  • When plugin is uploaded, press Activate plugin button to activate it.

This workaround can be used to mitigate the issue on IIS.

Have more questions? Submit a request
Please sign in to leave a comment.