[wp-trac] Re: [WordPress Trac] #4606: Redirection Vulnerability in wp-pass.php

WordPress Trac wp-trac at lists.automattic.com
Sun Aug 26 11:47:16 GMT 2007 

#4606: Redirection Vulnerability in wp-pass.php
------------------------------------------------------------+---------------
 Reporter:  snakefoot                                       |        Owner:  anonymous
     Type:  defect                                          |       Status:  new      
 Priority:  high                                            |    Milestone:  2.2.3    
Component:  Security                                        |      Version:  2.0.10   
 Severity:  major                                           |   Resolution:           
 Keywords:  developer-feedback has-patch security redirect  |  
------------------------------------------------------------+---------------
Changes (by hakre):

  * keywords:  developer-feedback => developer-feedback has-patch security
               redirect

Comment:

 As the milestone-change was made from 2.2.2 to 2.2.3: no. I just tested it
 against 2.2.3 alpha and it's not fixed therein either.

 I thought that this should be taken seriously so I analyzed it and made a
 fix:

 = Analysis =
  * By effect the problem is based on unfiltered userdata.
  * Userdata is injected by the _wp_http_referer queryinfo-parameter via a
 get-request.
  * The reported problem can be invoked by requesting /wp-pass.php.
  * In /wp-padd.php on line 10 wordpress global redirect handler
 ''wp_redirect()'' is called passing ''wp_get_referer()'' as parameter.
  * ''wp_get_referer()'' injects the value into the ''wp_redirect()''
 handler.
  * ''wp_get_referer()'' is defined in /wp-includes/functions.php on line
 874ff.
  * It returns `$_REQUEST['_wp_http_referer']` in this case which is then
 passed to ''wp_redirect()''.
  * ''wp_redirect()'' is defined in /wp-includes/pluggable.php on line
 393ff.
  * Next to some design flaws in this routine, it does what it should:
 perform the redirect.
  * The problem is to pass the returned value of ''wp_get_referer()''
 directly to ''wp_redirect()'' without checking for valid input.
  * A Fix has to be applied in /wp-padd.php.

 = Solution =
  * /wp-padd.php should only redirect to adresses on the current server
 (domain based security).
  * This can be achieved by comparing the referer against blog-
 configuration.
  * This way of solving is done by the attached patch.

 = Testing Documentation =
  1. Requested `/wp-pass.php?_wp_http_referer=http://localhost/`
  2. No Redirection is made.
  3. Requested `/wp-
 pass.php?_wp_http_referer=http://webroot.loc/wordpress/`
  4. Redirect is properly done.

 Redirect to other Domains aren't possible any longer. The script still
 redirects to URLs on the same Domain.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4606#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list