[wp-trac] [WordPress Trac] #31233: HTTP Header CRLF Injection (HTTP Response Splitting) wp-login.php

WordPress Trac noreply at wordpress.org
Wed Feb 4 17:37:10 UTC 2015

#31233: HTTP Header CRLF Injection (HTTP Response Splitting) wp-login.php
 Reporter:  roadrashtx              |      Owner:
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  4.1
 Severity:  normal                  |   Keywords:
  Focuses:                          |
 Our security team did some scanning of our blogs and found the following:

 By using a carriage return-linefeed sequence, an attacker can add HTTP
 headers to the response and completely write the body of the HTTP request.

 '''Example''': http://wordpressdomain/wp-login.php?redirect_to=Content-

 '''Result''': in the source code you will see the %0D %0A (URL encoded
 <CR> and <LF>) is successful injected.

 <input type="hidden" name="redirect_to" value="Content-Type:
 multipart/related; boundary=_AppScan

 " />

Ticket URL: <https://core.trac.wordpress.org/ticket/31233>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list