Korean

<< Back VID 22795 Severity 10 Port 80, ... Protocol TCP Class CGI Detailed Description According to its self-reported version number, the WordPress application running on the remote web server is 4.7.x. It is, therefore, affected by a flaw in the wp_mail() function within file wp-includes/pluggable.php due to the improper usage of the SERVER_NAME variable, specifically when input from the HTTP Host header is assigned to SERVER_NAME. An unauthenticated, remote attacker can exploit this issue to reset arbitrary passwords by means of a crafted 'wp-login.php?action=lostpassword' request, which is then bounced or resent, resulting in the transmission of the reset key to a mailbox on an SMTP server under the attacker's control. Note that exploitation of this vulnerability is not achievable in all cases because it requires at least one of the following conditions : - The attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as five days). - The victim's e-mail system sends an auto-response containing the original message. - The victim manually composes a reply containing the original message. * references : https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html https://core.trac.wordpress.org/ticket/25239 https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname Recommendation There is no official fixed release available from the vendor at this time. It is possible to mitigate this vulnerability by taking steps to ensure that SERVER_NAME is constructed from a static value. For example, on Apache systems, enable the UseCanonicalName setting within the Apache configuration. This will force PHP to use the configured ServerName directive value instead of relying on the HTTP Host request header, which can be manipulated by an attacker. Related URL CVE-2017-8295 (CVE) Related URL 98295 (SecurityFocus) Related URL (ISS)