[wp-trac] [WordPress Trac] #60333: Host Header Injection Vulnerability in /wp-content Folder
WordPress Trac
noreply at wordpress.org
Wed Jan 24 06:04:00 UTC 2024
#60333: Host Header Injection Vulnerability in /wp-content Folder
--------------------------+-----------------------------
Reporter: manishn | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.4
Severity: critical | Keywords:
Focuses: |
--------------------------+-----------------------------
Hi,
A security issue has been identified during recent testing on my wordpress
website.
**Issue Description:**
Host Header Injection vulnerability has been detected in the '/wp-content'
folder. During testing with the Burp Suite tool, an attempt to request
data from '/wp-content' (without a trailing slash) was made, and the
response received was a '301 redirect'. Ideally, the response should be a
'403 Forbidden' or '404 Not Found'.
**Testing Scenario:**
1. The tester utilized the Burp Suite tool.
2. A request for data from '/wp-content' (without trailing slash) was
made.
3. The Host name was changed (e.g., www.example.com).
4. The response received was a '301 redirected', which is not the expected
behavior.
Can anyone help me to get rid of this issue?
Thanks
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60333>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list