There is really a password reset vulnerability the effect of a data leak from the debug log file in the WordPress plugin Simple WP SMTP.
Several hours back, “WP eCommerce” released Easy WP SMTP WordPress plugin version 1.4.3 which patches the easily exploitable and dangerous vulnerability discovered by NinTechNet.
It appears that simple WP SMTP plugin edition 1.4.2 and older variations are vulnerable because of sensitive details disclosure. This plugin provides a lot more than 500,000 energetic installs.
It is hard to look for the actual amount of vulnerable installations because there are many prerequisites to be able to exploit the vulnerability.
Vulnerability: Unauthenticated admin password reset
Fixed in version: 1.4.3
Number of sites impacted: 500 000+
Vulnerability within Easy WP SMTP WordPress plugin
First we have to mention so easy WP SMTP includes a debug log function. When allowed, this function will compose all the details about WordPress email messages to a .txt document and also includes the e-mail content in plain textual content format. This content of these email messages is the most substantial threat in cases like this.
WordPress will send a contact with a temporary customized link once you initiate the password reset method, and the link results in a password reset type that allows you to established a fresh password for the accounts.
This method is safe provided that the mailing system is safe no one except the true user will get those emails with password restoration links. It proved that the simple WP SMTP plugin doesn’t have essential protection because of its main directory content.
It appears that the simple WP SMTP plugin initially doesn’t include any index.html or even index.php file within its major directory where these log documents are stored.
It is not an issue on websites hosted on servers with the sufficiently secure construction and on websites with other safety hardening measures or equipment that prevent directory listing. If the server construction enables directory listing and you can find no other elements that could prevent it, there may be a risk of security.
In this case, we are able to see all of the files and web directories, including the log document, which provides the sensitive information.
There are several prerequisites: the log function is enabled, the directory is obtainable, all that remains would be to enumerate or guess the username or email whose password we shall make an effort to reset.
Now we are able to initiate a password reset process at the WordPress login form and pushing the “Dropped your password?” link which will allow us to get into the username or e-mail of an individual whose password you want to reset.
Correct after, WordPress may send the e-mail which will include a password reset hyperlink. Now the log document will support the contents of this email, also it means everyone could study it and utilize the connect to reset the password. A good attacker can reset a password for just about any user with any privileges. The vulnerability isn’t limited to any specific user title or user function.
As you can view, this vulnerability is simple to exploit. It generally does not need any special knowledge, rendering it a lot more dangerous.
While you can revise the plugin to the most recent available edition (1.4.3) which solves the directory listing, we think that it needs a bit more if you nevertheless want to keep carefully the logging function fired up.
In most situations, the plugin directory may be indexed by Search engines and possibly other se’s. Having directory listing switched off won’t prevent sensitive information leaks if the attacker will get the true log file title from SERP’s.
If an attacker knows the entire way to the log data files, they are able to access it directly, despite having directory listing disabled.
If you possess WebARX installed, you’re protected out of this vulnerability, but it is definitely strongly advised to update or even delete vulnerable plugins from your own site.
We suggest everyone to up-date the plugin, disable directory listing on your own web site through the server construction or .htaccess document tweaks, convert the logging functionality off, delete the older log file, and change the logging perform on only once it is essential. The brand new log file could have a fresh random name, and it’ll be impossible to end up being traced and index by Search engines SERP’s dorking.
Disabling directory listing on your own site
Directory listing function is really a area of the web-server construction. When you have pointed out that your server construction allows directory listing, nevertheless, you don’t have the rights to improve the server construction, you can override some parameters with the addition of small program code snippets to your .htaccess file.
To disable the directory listing, you need to add this range to your .htaccess document located in the main (main) directory of one’s website:
We recommend achieving this because attackers might use directory listing for reconnaissance along with other attacks.
06.12.2020 – Open public exploitation detected by https://profiles.wordpress.org/mathieg2/
07.12.2020 – Plugin obtained a patch 1.4.3 (added index.html to directory)
“Three column screen design”