[wp-trac] [WordPress Trac] #28469: Open Redirect Vulnerability in WordPress's WP Login Plugin (wp-login.php) (CVE-2014-2229)
WordPress Trac
noreply at wordpress.org
Fri Jun 6 09:52:16 UTC 2014
#28469: Open Redirect Vulnerability in WordPress's WP Login Plugin (wp-login.php)
(CVE-2014-2229)
--------------------------+-----------------------------
Reporter: blackswallow | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: ui |
--------------------------+-----------------------------
However, I found that "wp-login.php" has an open redirection
vulnerability. That means WP login plugin is vulnerable.
It is assigned CVE-2014-2229.
WP Login is one the most powerful WordPress login plugin and it is widely
used, i.e.
http://en.wordpress.com/wp-
login.php?redirect_to=http%3A%2F%2Fen.wordpress.com%2F [1]
http://rocketsquids.squidoo.com/wp-
login.php?redirect_to=http%3A%2F%2Frocketsquids.squidoo.com
https://managewp.com/wp-
login.php?redirect_to=https%3A%2F%2Fmanagewp.com%2F3-8-7-worker-update-
news
However, I found that "wp-login.php" has an open redirection
vulnerability. That means WP login plugin is vulnerable.
The vulnerability exists at "wp-login.php" page with "redirect_to"
parameter, e.g.
http://en.wordpress.com/wp-
login.php?redirect_to=http%3A%2F%2Fwww.google.com
(1) When a user click the URL ([1]) above, the "WordPress login" page
appears. The user needs to enter his/her username and password. When this
is done, the user is redirected to a webpage belonging to the website that
installs "WP Login" plugin.
However, it seems that "WP Login" allows some other domains, i.e.
google.com.
Now, a user could be redirected from "WP login" to a vulnerable URL in
google first and later be redirected from this vulnerable site to a
malicious site. This is as if being redirected from "WP login" directly.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE
(9.0.15) in Windows 7.
(2) I will use the following tests to illustrate the scenario I painted
above.
The redirected webpage address is "http://www.tetraph.com". It's one of my
webpages. We can suppose that this webpage is malicious.
Vulnerable URL:
http://en.wordpress.com/wp-
login.php?redirect_to=http%3A%2F%2Fen.wordpress.com%2F
POC:
http://en.wordpress.com/wp-
login.php?redirect_to=http%3A%2F%2Fgoogle.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0CCoQFjAA%26url%3Dhttp%253A%252F%252Fwww.tetraph.com%252F%26ei
%3DFSMgU-
bSCOewiQfu5IDoAg%26usg%3DAFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg%26sig2%3D_ALzlmyIx3EfHwaNUBBI_Q
I have made a POC video for illustration. The video is available upon
request.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28469>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list