Adrian Pastor sent us the following advisory titled, "WordPress Cross Domain Redirect". The vulnerability has been around for sometime, however, Adrian really demonstrates just how this feature can be used in a malicious way.

== Description ==

The login redirect feature of Wordpress can be abused for phishing
purposes.

The parameter ‘redirect_to’ usually contains the relative URL to where
the user is redirected AFTER logging in successfully.

i.e.: /wordpress/wp-admin/index.php

However, such parameter also allows absolute URLs that point to a domain
different to the one where the legitimate Wordpress login page is hosted.

i.e.: http://legitimate.com/wordpress/wp-login.php?redirect_to=http://evil.com

or

http://legitimate.com/wordpress/wp-login.php?redirect_to=http://%65%76%69%6c%2e%63%6f%6d

(evil domain name is hex-encoded for obsfucation purposes)

where ‘http://evil.com’ would be a malicious site hosting a spoof
Wordpress login page.

Attack scenario:

1. Attacker launches a phishing attack against the victim using the
following URL:

http://legitimate.com/wordpress/wp-login.php?redirect_to=http://%65%76%69%6c%2e%63%6f%6d

2. Victim logs in successfully

3. Victim is redirected to evil.com where there is a spoof Wordpress
login page that looks like the original. Such login page returns an
authentication error message like the following:

“ERROR: Invalid username.”

4. Victim thinks he/she entered the wrong username and re-enters
username and password again

5. Credentials are now logged by the attacker

== Version tested ==

Wordpress 2.2.1

== Credits ==

Adrian Pastor

== Solution ==

Restrict redirects to relative URLs *only* so that cross-domain
redirects are *not* possible.

The vendor is working on a way to resolve the issue without breaking
functionalities that sometimes depend on cross-domain redirects.