CVE-2021-27200
📋 TL;DR
CVE-2021-27200 is a critical authentication bypass vulnerability in WoWonder's password recovery system. Attackers can predict password reset codes based on time of day, allowing them to take over any user account. All WoWonder 3.0.4 installations with default configuration are affected.
💻 Affected Systems
- WoWonder Social Network Platform
📦 What is this software?
Wowonder by Wowonder
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts including administrators, leading to data theft, privilege escalation, and full system takeover.
Likely Case
Account takeover of targeted users, unauthorized access to sensitive data, and potential lateral movement within the system.
If Mitigated
Limited impact if strong network controls prevent external access, but internal users could still be compromised.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute. Attackers only need to predict the reset code based on time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.5 and later
Vendor Advisory: https://www.wowonder.com
Restart Required: No
Instructions:
1. Upgrade WoWonder to version 3.0.5 or later. 2. Replace the vulnerable recover.php file with the patched version. 3. No server restart required for PHP applications.
🔧 Temporary Workarounds
Disable Password Recovery
linuxTemporarily disable the password recovery functionality to prevent exploitation.
# Rename or remove recover.php file
mv /path/to/wowonder/recover.php /path/to/wowonder/recover.php.disabled
Implement Rate Limiting
linuxAdd rate limiting to password reset requests to make brute-force attacks more difficult.
# Configure web server rate limiting (nginx example)
limit_req_zone $binary_remote_addr zone=reset:10m rate=1r/m;
location ~* recover\.php { limit_req zone=reset burst=5; }
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious password reset patterns
- Monitor and alert on unusual password reset activity, especially multiple attempts from single IPs
🔍 How to Verify
Check if Vulnerable:
Check if recover.php exists and examine its code for weak cryptographic algorithms. Version check: grep 'WoWonder Version' configuration files or check admin panel.Check Version:
grep -r 'WoWonder.*Version' /path/to/wowonder/ || cat /path/to/wowonder/config.php | grep versionVerify Fix Applied:
Verify WoWonder version is 3.0.5 or later. Check that recover.php uses strong random token generation instead of time-based prediction.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts from single IP
- Successful password resets for multiple accounts from same IP in short timeframe
- Unusual password reset patterns outside normal business hours
Network Indicators:
- HTTP POST requests to recover.php with predictable code patterns
- Rapid succession of password reset requests
SIEM Query:
source=web_logs (url="*recover.php*") | stats count by src_ip, user_agent | where count > 5