[wp-trac] [WordPress Trac] #4819: wp_redirect() Input Validation
Bypass Vulnerability / Filter Bypass Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Sun Aug 26 13:08:23 GMT 2007
#4819: wp_redirect() Input Validation Bypass Vulnerability / Filter Bypass
Vulnerability
---------------------+------------------------------------------------------
Reporter: hakre | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.2.3
Component: General | Version: 2.2.2
Severity: normal | Keywords:
---------------------+------------------------------------------------------
While doing the analysis for #4606 it came to my attention that the input
sanitization in wp_redirect() on header values containing %0a and %0d has
a flaw. This is fixed by the attached patch. A proof of concept how to
bypass %0a and %0d is trivial if you take a look into the changes so I did
not publish it. Patch is as always against SVN but this applies to 2.2.2
as well. I have not checked this with older version, they might be
affected as well.
= Problem =
The way ''wp_redirect()'' removes `%0d` and `%0a` from ''$location'' does
not work properly.
= Solution =
It has to be checked for all char-sequences iterativly instead of only
one-time per entity.
--
Ticket URL: <http://trac.wordpress.org/ticket/4819>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list