[Secure-testing-team] Bug#862053: wordpress: CVE-2017-8295
Markus Koschany
apo at debian.org
Sun May 7 19:53:32 UTC 2017
Package: wordpress
X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
Severity: important
Tags: security
Hi,
the following vulnerability was published for wordpress.
CVE-2017-8295[0]:
| WordPress through 4.7.4 relies on the Host HTTP header for a
| password-reset e-mail message, which makes it easier for remote
| attackers to reset arbitrary passwords by making a crafted
| wp-login.php?action=lostpassword request and then arranging for this
| message to bounce or be resent, leading to transmission of the reset
| key to a mailbox on an attacker-controlled SMTP server. This is
| related to problematic use of the SERVER_NAME variable in
| wp-includes/pluggable.php in conjunction with the PHP mail function.
| Exploitation is not achievable in all cases because it requires at
| least one of the following: (1) the attacker can prevent the victim
| from receiving any e-mail messages for an extended period of time
| (such as 5 days), (2) the victim's e-mail system sends an autoresponse
| containing the original message, or (3) the victim manually composes a
| reply containing the original message.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
No official patch has been published yet but there is an interesting assessment
at http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
I think it makes sense to wait for an official Wordpress response but we could also
try to avoid the SERVER_NAME variable in this case.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8295
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
Please adjust the affected versions in the BTS as needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20170507/63059c45/attachment.sig>
More information about the Secure-testing-team
mailing list