Vulnerability exists only if no from_email is specified. This isn't an issue when using a mailing plugin which specifies from_email like wp stmp mail with correct settings. It can also be fixed by adding a filter for wp_mail_from to specify from_email by hand.
Well the vulnerability is listed as one in WordPress Core so I don't know that it's relevant that a plugin fixes it. The vulnerability still exists in WP Core, and most people are not going to have an SMTP plugin if email works out of the box.
I should've added more background to my earlier comment. Our wordpress sites are hosted on ec2 and by default mails sent from there end up in spam so we use SES. For that we need a plugin like wp smtp. I figured I'd give an ease of mind for similar use cases. I agree that a plugin is not the right solution especially if the provided functionality is not needed(smtp).
One given example is that – in the case of the Return-Path header being maliciously set – the attacker could perform a DoS attack on the victim's mailbox so that the password reset email would be sent as part of a non-delivery receipt.
It has to be combined with another attack. If the victim's mail server bounces the email it will be sent back to the attacker's mail server. One possible approach to do that is to fill the target email so they reach their quota.
I think the third scenario outlined is actually very realistic. A lot of people will default to seeking information or assistance by replying directly to the email that they're uncertain about.
Kind of makes me glad the Wordpress has finally become mature enough to have to be exploited in such a convoluted way. Hope they fix the issue soon and show maturity
Agreed. I tell people often that properly applying updates and using plugins and themes from trusted developers in conjunction with a service like Sucuri or WP Extra Care makes your site as close to impenetrable as is realistically possible.
> You should never directly work with the WordPress global variables, and it's bad practice to do so.
It's bad practice to use global variables, but you somehow blame the person who highlights this use, as opposed to the project that is littered with their use.
You're criticising 'plugins and templates' that make use of the global scope, while giving the WordPress core a free-ride for not just using global scope, but placing objects there that can be exploited.
That's exactly my point - the core is at fault for handing over global exec to the plugins and templates. It's a horrible design, and it appears there is little motivation to fix it but rather pass blame onto plugins.
I'm quite sure agencies like NSA want to keep Wordpress around for this. There will always be unpatched installations around and some they found that will not get disclosed.
From php.net, about using $_SERVER['SERVER_NAME'] :
Note: Under Apache 2, you must set UseCanonicalName = On and ServerName. Otherwise, this value reflects the hostname supplied by the client, which can be spoofed. It is not safe to rely on this value in security-dependent contexts.
That's two Apache directives, nothing to do with PHP directly.
You likely already have the ServerName entry, as 99.9% of apache installs would be using Vhosts these days.
The `UseCanonicalName = On` should be added to your vhost config file, or your global apache config file (e.g. /etc/apache2/apache2.conf on Debian)
Not necessarily. It depends how IIS is configured, I believe it will exhibit the same behaviour (SERVER_NAME is taken from the Host request header) in at least some circumstances, if not all.
DISCLAMER: Works only if you set WP_HOME explicitely.
if you define it dynamically based on $SERVER['HTTP_HOST']
this won't fix it. (using a switch with $SERVER['HTTP_HOST'] is fine, except if you set a default)
------[ wp-includes/pluggable.php before ]------
...
if ( !isset( $from_email ) ) {
// Get the site domain and get rid of www.
$sitename = strtolower( $_SERVER['SERVER_NAME'] );
if ( substr( $sitename, 0, 4 ) == 'www.' ) {
$sitename = substr( $sitename, 4 );
}
$from_email = 'wordpress@' . $sitename;
}
...
-----------------------------------------
------[ wp-includes/pluggable.php after ]------
...
if ( !isset( $from_email ) ) {
// Get the site domain and get rid of www.
$sitename = strtolower( WP_HOME );
if ( substr( $sitename, 0, 7 ) == 'http://' ) {
$sitename = substr( $sitename, 7 );
}
if ( substr( $sitename, 0, 8 ) == 'https://' ) {
$sitename = substr( $sitename, 8 );
}
if ( substr( $sitename, 0, 4 ) == 'www.' ) {
$sitename = substr( $sitename, 4 );
}
$from_email = 'wordpress@' . $sitename;
}
...
-----------------------------------------
edit: please test this on your setup before deploying it.
edit2: fixed with the help of apstls.
Isn't there a good (possible) URL parser out there so substr can be avoided? Manual string editing of data in a known format seems dirty and a source of possible bugs to me.
No, this was because WP security team ignored this issue. From the article:
> This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website.
> As there has been no progress in this case , this advisory is finally released to the public without an official patch (0day).
I'm not sure the author would necessarily know that this is true. The author also didn't say whether they informed WP Core that they were going to publish it.
Per the "revision history" the notes about a report sent in 2016 was added after initial publication ("Updated 'solution' section to clarify and highlight numerous resolution attempts"). So it isn't clear to me that communicating the exploit to the team was the top priority.
Regardless of the circumstances though, publishing it seems quite clearly tied to the promotion of their business. That's not necessarily bad assuming they were responsible in how they communicated the issue. I am admittedly reading tea leaves and just questioning whether this is the full story.
not PHP bug, but Apache bug:
"However, major web servers such as Apache by default set the SERVER_NAME variable
using the hostname supplied by the client (within the HTTP_HOST header):"
Not an Apache bug but Wordpress trusting client-supplied data where it shouldn't. SERVER_NAME coming from the HTTP Host header is intentional and documented behavior, ergo not a bug.
Not even an Apache bug, it's a config parameter where one case is dangerous but still maybe useful (but I can't think of example). The recommendation, if followed, mitigates
I tried to replicate this and couldn't. It seems this isn't so much a Wordpress issue as it is a poorly-setup-webserver issue.
If your nginx/apache setup is set to have "Host: * => wordpress", you're doing it wrong and this issue affects you.
But if you setup your server as you were supposed to, i.e. matching on the Host (server_name in nginx) to route to your blog, then obviously SERVER_NAME cannot be overwritten, and any attempts to exploit this will result in 404.
https://httpd.apache.org/docs/current/mod/core.html#usecanon... does say this:
"If CGIs make assumptions about the values of SERVER_NAME, they may be broken by this option. The client is essentially free to give whatever value they want as a hostname. But if the CGI is only using SERVER_NAME to construct self-referential URLs, then it should be just fine."
2) The thing I'm not understanding - wouldn't setting a "Host:" header change the directory being served in most virtual host configurations? For instance:
POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
In most configurations the web server would look for a virtual host configuration matching "injected-attackers-mxserver.com" - and when not found would just return a 404 or error page, or possibly the default Apache/nginx directory? So to be vulnerable the WordPress install would need to be accessible via either A) a default config or B) an IP address.
3) It's odd there isn't a patch for this. WordPress already creates and stores a canonical "siteurl" on install, and this setting is not changed by any "$_SERVER" variable.
75 comments
[ 3.4 ms ] story [ 134 ms ] thread¹https://legalhackers.com/
As there has been no progress in this case , this advisory is finally released to the public without an official patch."
Ethics of disclosure is a long and nuanced debate
Edit: Missed the "reported in 2016" bit :/
I wouldn't call inventing their own user-land parameterised queries "secure": https://github.com/WordPress/wordpress-develop/blob/master/s...
global $current_user;
This is Wordpress, making it nearly impossible to clearly grasp what's going on leading to unknown amount of vulnerability at any given moment.
It's probably the dumbest code used by the mass.
Use wp_get_current_user: https://codex.wordpress.org/Function_Reference/wp_get_curren...
The largest attack surface for WP is poorly developed plugins and themes, not WordPress core.
It's bad practice to use global variables, but you somehow blame the person who highlights this use, as opposed to the project that is littered with their use.
You're criticising 'plugins and templates' that make use of the global scope, while giving the WordPress core a free-ride for not just using global scope, but placing objects there that can be exploited.
UseCanonicalName = On ServerName = www.mydomain.com
That's two Apache directives, nothing to do with PHP directly. You likely already have the ServerName entry, as 99.9% of apache installs would be using Vhosts these days.
The `UseCanonicalName = On` should be added to your vhost config file, or your global apache config file (e.g. /etc/apache2/apache2.conf on Debian)
DISCLAMER: Works only if you set WP_HOME explicitely. if you define it dynamically based on $SERVER['HTTP_HOST'] this won't fix it. (using a switch with $SERVER['HTTP_HOST'] is fine, except if you set a default)
edit: please test this on your setup before deploying it. edit2: fixed with the help of apstls.Perhaps http://stackoverflow.com/a/37987242/383694 would help.
One could [also] verify the domain resolves to the same IP as the server, it seems
> This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website.
> As there has been no progress in this case , this advisory is finally released to the public without an official patch (0day).
I'm not sure the author would necessarily know that this is true. The author also didn't say whether they informed WP Core that they were going to publish it.
Per the "revision history" the notes about a report sent in 2016 was added after initial publication ("Updated 'solution' section to clarify and highlight numerous resolution attempts"). So it isn't clear to me that communicating the exploit to the team was the top priority.
Regardless of the circumstances though, publishing it seems quite clearly tied to the promotion of their business. That's not necessarily bad assuming they were responsible in how they communicated the issue. I am admittedly reading tea leaves and just questioning whether this is the full story.
If your nginx/apache setup is set to have "Host: * => wordpress", you're doing it wrong and this issue affects you.
But if you setup your server as you were supposed to, i.e. matching on the Host (server_name in nginx) to route to your blog, then obviously SERVER_NAME cannot be overwritten, and any attempts to exploit this will result in 404.
3) It's odd there isn't a patch for this. WordPress already creates and stores a canonical "siteurl" on install, and this setting is not changed by any "$_SERVER" variable.