Zero-day vulnerabilities in Wordpress and Vanilla Forums allow you to hack sites remotely

Image: Andrew Abogado , CC BY 2.0

Information security researcher David Golunski (Dawid Golunski) published data on critical vulnerabilities in WordPress - they allow you to remotely execute shell commands and reset the administrator password by changing the Host header. In addition, the researcher spoke about two similar critical vulnerabilities in the open source product Vanilla Forums.
')

WordPress vulnerability

Golunsky's discovered vulnerability (CVE-2017-8295) affects all versions of WordPress, including build 4.7.4. According to the researcher, he repeatedly transmitted information about security issues to product developers, but they still have not released an official fix.

The attack is described in detail in a special security bulletin published by Golunski. Its essence lies in the use of logical errors in the Wordpress password recovery mechanism. When a user requests such a shift, WordPress generates a unique secret code and sends it to email, which is stored in the database.

When sending this message, the variable SERVER_NAME is used to get the server hostname — this is used to set values ​​in the From / Return-Path fields. The From field stores the sender's address, and the Return-Path contains the address to which the 'bounce-back' messages should be delivered, they are generated in the event of a send failure.



According to Golunski, an attacker can send a special HTTP request with a predefined hostname value (for example, attacker-mxserver.com) and simultaneously initiate the process of resetting the password for a user — for example, the site administrator.

Since the host name in the HTTP request is the domain controlled by the attacker, the From and Return-Path fields in the password reset email will be changed to include the email address associated with the hacker's domain — for example, wordpress@attacker-mxserver.com instead of wordpress@victim-domain.com .

A letter with a password reset code will still be sent to the address of the victim, but under certain conditions the attacker will also be able to receive it.

1. If the victim responds to the letter, the response will already be sent to the hacker's address (now it is stored in the From field), and a link to reset the password will be stored in the history of correspondence.
2. If for some reason the delivery of the letter to the victim fails, the failure message will be automatically redirected to the attacker's address (it is specified in the Return-Path).
3. Another possible scenario is that in order for the original message not to be delivered to the victim, an attacker could launch a DDoS attack on the target user's email server or send a large number of letters to his address, ensuring that the postal address can no longer receive messages. This will cause the delivery to fail and the message will be delivered to the attacker.

Manipulations with the SERVER_NAME header with the help of the HTTP Host header can be performed on the “default” settings of the Apache web server, which is most often used to deploy WordPress.

Since there is no official patch to close the vulnerability, it is recommended that site administrators on WordPress update the configuration by activating the UseCanonicalName option to set the static value of SERVER_NAME and make the attack impossible.

What is wrong with Vanilla Forums

A week after finding a security bug in WordPress, Golunsky also posted information about two critical vulnerabilities in the popular open source software Vanilla Forums. The first one ( CVE-2016-10033 ) opens up the possibility of remote code execution, and the second (CVE-2016-10073) is similar to WordPress's vulnerability and allows carrying out attacks on intercepting messages to reset a password. There is currently no patch for both errors. Vulnerable, including the latest version of Vanilla Forums 2.3, the researcher is convinced that previous versions are also vulnerable.



According to Golunsky, the ability to remotely execute shell commands appeared in the Vanilla Forums due to the fact that product developers are still using a vulnerable version of the popular open source library to send emails PHPMailer. The researcher discovered the vulnerabilities in January 2017 and passed the information to the developers, the errors were not corrected and after about five months Golunski published information about them. A similar vulnerability was previously discovered by a researcher in Wordpress.

Last year, a researcher reported on the detection of a critical vulnerability ( CVE-2016-10033 ) in the PHPMailer library, which allowed remote execution of shell commands in the context of a web server - this leads to a compromise of the attacked web application. Golunsky also prepared a video from which it becomes clear that an old exploit for PHPMailer is suitable for an attack on the Vanilla Forums.



The researcher notes that the vulnerability can be exploited even if Vanilla Forums is installed on an Apache web server with several enabled vhosts, and the software being attacked is not the default virtual host.

Until the Vanilla Forums developers have released an update, Golunski recommends that administrators of sites that use this software set the predefined static value as the email address of the sender - this will block the use of Host headers.

To prevent attacks using the described vulnerabilities of WordPress and Vanilla Forums, Positive Technologies experts recommend using specialized protection tools - in particular, the PT Application Firewall application-level protection screen allows you to reflect attempts to exploit these security errors.