WordPress Cross Domain Redirect

Posted by DK
July 11, 2007

Adrian Pastor sent us the following advisory titled, "WordPress Cross Domain Redirect". The vulnerability has been around for sometime, however, Adrian really demonstrates just how this feature can be used in a malicious way.

== Description ==

The login redirect feature of Wordpress can be abused for phishing
purposes.

The parameter ‘redirect_to’ usually contains the relative URL to where
the user is redirected AFTER logging in successfully.

i.e.: /wordpress/wp-admin/index.php

However, such parameter also allows absolute URLs that point to a domain
different to the one where the legitimate Wordpress login page is hosted.

i.e.: http://legitimate.com/wordpress/wp-login.php?redirect_to=http://evil.com

or

http://legitimate.com/wordpress/wp-login.php?redirect_to=http://%65%76%69%6c%2e%63%6f%6d

(evil domain name is hex-encoded for obsfucation purposes)

where ‘http://evil.com’ would be a malicious site hosting a spoof
Wordpress login page.

Attack scenario:

1. Attacker launches a phishing attack against the victim using the
following URL:

http://legitimate.com/wordpress/wp-login.php?redirect_to=http://%65%76%69%6c%2e%63%6f%6d

2. Victim logs in successfully

3. Victim is redirected to evil.com where there is a spoof Wordpress
login page that looks like the original. Such login page returns an
authentication error message like the following:

“ERROR: Invalid username.”

4. Victim thinks he/she entered the wrong username and re-enters
username and password again

5. Credentials are now logged by the attacker

== Version tested ==

Wordpress 2.2.1

== Credits ==

Adrian Pastor

== Solution ==

Restrict redirects to relative URLs *only* so that cross-domain
redirects are *not* possible.

The vendor is working on a way to resolve the issue without breaking
functionalities that sometimes depend on cross-domain redirects.

News, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by David Kierznowski on July 12, 2007 @ 3:40 am

Adrian, I think this is a nice proof of concept advisory for most redirect vulnerabilities, nicely done.

Pingback by Del.icio.us bookmarks: Juli 11th | Bloganbieter.de Blog on July 12, 2007 @ 6:38 am

[...] BlogSecurity » WordPress Cross Domain Redirect – [...]

Comment by Adrian Pastor on July 12, 2007 @ 7:30 am

Thanks Dave!

Another example would be to redirect the victim to a website that exploits the latest vulnerabilities on IE/FF in order to install malware.

I personally think that cross-domain redirects can be very handy for attackers, especially when the domain that has the redirect feature belongs to a trusted brand name.

Pingback by Кросс-доменная уязвимость в WordPress » Russian Hosting Blog или хостинг по-русски on July 13, 2007 @ 6:32 am

[...] Оригинал (на англ.) Если Вам понравилась эта статья, подпишитесь на мой RSS-фид [...]

Comment by Abel Cheung on July 18, 2007 @ 12:00 pm

Sadly fixing this kind of hole would also likely hinder other legitimate use. For example, OpenID project depends largely on cross-domain redirection.

Leave a comment

(required)

(required)