Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized Password Reset` in wordpress #8836

Closed
wants to merge 5 commits into from
Closed

Unauthorized Password Reset` in wordpress #8836

wants to merge 5 commits into from

Conversation

robertofocke
Copy link

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/wodpress/Unauthorized_Password_Reset
  • set RHOST www.miwordpress.com
  • set EVILDOMAIN mievildomain.com
  • run
  • return code 200

@void-in
Copy link
Contributor

void-in commented Aug 15, 2017

@robertofocke Thanks for the contribution. Please have a look at https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit. There are some code changes that need to be done before this module can be landed.
Some notable things which need to be part of this PR:

  • Two lines banner at the top:
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

  • Two space soft indentation

  • File name should be all smalls and not camel style.

@jmartin-tech
Copy link
Contributor

Travis build failed due to msftidy violations

modules/auxiliary/wordpress/Password_Reset.rb - [ERROR] Incorrect disclosure date format

Also note above request for rename to something like password_reset.rb or the like no capitalization in module file names please.

@robertofocke
Copy link
Author

@jmartin-r7 I am a new user of metasploit and english language, sorry.
What error do you have now?.

@robertofocke
Copy link
Author

There is an error in the exploit because it does not work. :(

@busterb
Copy link
Member

busterb commented Aug 16, 2017

I sent you a PR with the coding violations fixed, allowing it to pass the builtin tests. But, this PR will still need to be resubmitted from a git branch, as @void-in pointed out above. Please take a look at what I sent you and resubmit when ready. Thanks!

@busterb busterb closed this Aug 16, 2017
@busterb
Copy link
Member

busterb commented Aug 16, 2017

See robertofocke#1 - it looks big because I also had to change all of the hard tabs to spaces, which touched almost every line in the module.

@firefart
Copy link
Contributor

https://github.com/robertofocke/metasploit-framework/pull/1/files?w=1 ignores the whitespaces so it's better to review the changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@robertofocke @void-in @jmartin-tech @busterb @firefart