On WordPress
WordPress is a focus on aesthetics, usability and web standards of personal publishing platform. WordPress although it is a free open source software, but its value can not use money to measure.
Using WordPress you can build powerful web information publishing platform, but more is applied to a music blog. For the blog application, WordPress will allow you to save the background technical concerns, to concentrate on doing a good website content.
According to w3techs. com to the WordPress site of the real-time market statistics, WordPress accounts for all use of the content management system of the website the 58. 9 per cent. About accounted for all of the site 27. 9 per cent.
! [](/Article/UploadPic/2017-5/201755121115990. png)
Vulnerability overview
Vulnerability found by: dawid_golunski
Vulnerability hazard: severe
Vulnerability details
This vulnerability is mainly PHPMailer Vulnerability, CVE-2016-10033 in the WordPress Core code, the vulnerability does not require any authentication and the plugin, in the default configuration case you can use. A remote attacker could exploit the vulnerability to execute code. Since the vulnerability is relatively large, by and official consultations, decided to postpone the update wordpress vulnerability details.
if ( ! isset( $from_email ) ) {
// Get the site domain and get rid of the www.
$sitename = via strtolower( $_SERVER[‘SERVER_NAME’] );
if ( substr( $sitename, 0, 4 ) == ‘www.’ ) {
$sitename = substr( $sitename, 4 );
}
$from_email = ‘wordpress@’ . $sitename;
}
/**
WordPress according to the SERVER_NAME Server headers set up an email domain, when the WordPress wp_mail()function is called to send the email when, for example, user registration, Forgot Password etc. Can see from Is this
$from_email = ‘wordpress@’ . $sitename;
Then it is filtered and passed to PHPMailer vulnerable setFrom()function, the relevant details, please review:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code -exec-CVE-2016-10033-Vuln.html
Injection
In Apache’s default configuration on the operation of the SERVER_NAME Server head. Web server the most common WordPress deployment by the HTTP request HOST header.
In order to verify this point, consider the vars. php request and response presentation
GET /vars.php HTTP/1.1
Host: xenialINJECTION
HTTP/1.1 200 OK
Server: Apache
Array
(
[HTTP_HOST] => xenialINJECTION
[SERVER_SOFTWARE] => Apache/2.4.18 (Ubuntu)
[SERVER_NAME] => xenialinjection
…
We can see that in the HOST header file appended to the host name of the INJECTION string is copied to HTTP_HOST and SERVER_NAME PHP variables.
Use the HOST headers example, if an attacker to trigger a wp_mail()function
By using WordPress’s lost password function, the HTTP request will be similar to
POST /wordpress/wp-login. php? action=lostpassword HTTP/1.1
Host: xenialINJECT
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close
user_login=admin&redirect_to=℘-submit=Get+New+Password
And will lead to the following parameters passed to the/ usr / sbin / sendmail to:
The Arg no. 0 == [/usr/sbin/sendmail]
The Arg no. 1 == [-t]
The Arg no. 2 == [-i]
The Arg no. 3 == [-fwordpress@xenialinject]
It should be noted that the first three parameters. E-mail domain portion of the request matches the HOST header, the lower case“inject”except.
In order to use PHPMailer mail()injection vulnerability, the attacker would have the additional parameter to the domain portions. However, the filter/verify the place in wordpress and PHPMailer library aspect will be
To prevent an attacker to inject a null character space or TAB, from injection parameters to the sendmail binary.
For example, if the attacker is the HOST header modified for the following content:
POST /wordpress/wp-login. php? action=lostpassword HTTP/1.1
Host: xenialINJECT SPACE
Validation will result in an invalid domain part of the error, and the WordPress application will exit the http response:
HTTP/1.0 500 Internal Server Error
In this case, the PHPMailer function will never be executed sendmail binary will not be executed
PHPMailer library validateAddress()function and PHP’s filter_var / FILTER_VALIDATE_EMAIL conform to RFC 822 standards
For more details, please view:
<http://php.net/manual/en/filter.filters.validate.php>
It prohibits domain portion of the space, thereby preventing the injection of additional parameters to the/ usr / sbin / sendmail.