-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthorized Password Reset` in wordpress #8836
Conversation
Unauthorized Password Reset CVE-2017-8295
@robertofocke Thanks for the contribution. Please have a look at https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit. There are some code changes that need to be done before this module can be landed.
|
Travis build failed due to msftidy violations
Also note above request for rename to something like |
@jmartin-r7 I am a new user of metasploit and english language, sorry. |
There is an error in the exploit because it does not work. :( |
I sent you a PR with the coding violations fixed, allowing it to pass the builtin tests. But, this PR will still need to be resubmitted from a git branch, as @void-in pointed out above. Please take a look at what I sent you and resubmit when ready. Thanks! |
See robertofocke#1 - it looks big because I also had to change all of the hard tabs to spaces, which touched almost every line in the module. |
https://github.com/robertofocke/metasploit-framework/pull/1/files?w=1 ignores the whitespaces so it's better to review the changes |
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
Verification
List the steps needed to make sure this thing works
msfconsole
use auxiliary/wodpress/Unauthorized_Password_Reset