wppass-redirect.txt

`The vulnerability found could allow an attacker to redirect victims to  
an arbitrary 3rd party site. This site could be a phishing site or  
contain malware allowing the attacker to steal account credentials or  
compromise hosts. This vulnerability can be found in Wordpress 2.2,  
however it is likely that it exists in previous versions as well.  
  
Additional vulnerabilities may exist in the following areas due to the  
use of the problematic code:  
  
wp-includes/pluggable.php (lines 282 to 292)  
wp-includes/functions.php, wp_nonce_ays function (lines 1287 to 1313)  
  
  
Description:  
  
The wp-pass.php page can be used to redirect users to arbitrary third  
party sites. An attacker may use this vulnerability to redirect users to  
a phishing or malware site.  
  
  
Relevant Code:  
  
wp-pass.php (line 10)  
  
wp_redirect(wp_get_referer());  
  
  
wp-includes/functions.php (line 1040 to 1045)  
  
function wp_get_referer() {  
foreach ( array($_REQUEST['_wp_http_referer'],  
$_SERVER['HTTP_REFERER']) as $ref )  
if ( !empty($ref) )  
return $ref;  
return false;  
}  
  
  
Exploit:  
  
http://<WordpressSiteAddressHere>/wp-pass.php?_wp_http_referer=http://ww  
w.EvilPhishingOrMalwareSite.com  
  
Since the function uses the $_REQUEST variable, this attack could also  
be executed using a cookie or post parameter named "_wp_http_referer"  
  
If this were a real attack, A link would be sent to users in an E-mail,  
IM, or other delivery message to trick users into visiting the link.  
  
  
Versions Affected:  
  
This vulnerability is likely present in several previous versions of  
Wordpress, however it was tested and verified in version 2.2.1  
  
  
Vendor Response:  
  
The Wordpress team is currently working on addressing this issue and  
others in the 2.2.2 release of its blogging software.  
  
  
Disclosure Timeline:  
  
2007-06-21 Discovery by Nick Coblentz of Security PS  
(http://www.securityps.com)  
2007-06-22 Vendor notification  
2007-07-02 2nd Vendor notification  
2007-07-05 Vendor response  
  
  
Remediation:  
  
Wordpress 2.2.2 will address this issue as well as others.   
  
  
Credit:  
  
This vulnerability was discovered by Nicholas Coblentz, a security  
consultant a Security PS (http://www.securityps.com).The vulnerability  
found could allow an attacker to redirect victims to an arbitrary 3rd  
party site. This site could be a phishing site or contain malware  
allowing the attacker to steal account credentials or compromise hosts.  
This vulnerability can be found in Wordpress 2.2, however it is likely  
that it exists in previous versions as well.  
  
Additional vulnerabilities may exist in the following areas due to the  
use of the problematic code:  
  
wp-includes/pluggable.php (lines 282 to 292)  
wp-includes/functions.php, wp_nonce_ays function (lines 1287 to 1313)  
  
  
Description:  
  
The wp-pass.php page can be used to redirect users to arbitrary third  
party sites. An attacker may use this vulnerability to redirect users to  
a phishing or malware site.  
  
  
Relevant Code:  
  
wp-pass.php (line 10)  
  
wp_redirect(wp_get_referer());  
  
  
wp-includes/functions.php (line 1040 to 1045)  
  
function wp_get_referer() {  
foreach ( array($_REQUEST['_wp_http_referer'],  
$_SERVER['HTTP_REFERER']) as $ref )  
if ( !empty($ref) )  
return $ref;  
return false;  
}  
  
  
Exploit:  
  
http://<WordpressSiteAddressHere>/wp-pass.php?_wp_http_referer=http://ww  
w.EvilPhishingOrMalwareSite.com  
  
Since the function uses the $_REQUEST variable, this attack could also  
be executed using a cookie or post parameter named "_wp_http_referer"  
  
If this were a real attack, A link would be sent to users in an E-mail,  
IM, or other delivery message to trick users into visiting the link.  
  
  
Versions Affected:  
  
This vulnerability is likely present in several previous versions of  
Wordpress, however it was tested and verified in version 2.2.1  
  
  
Vendor Response:  
  
The Wordpress team is currently working on addressing this issue and  
others in the 2.2.2 release of its blogging software.  
  
  
Disclosure Timeline:  
  
2007-06-21 Discovery by Nick Coblentz of Security PS  
(http://www.securityps.com)  
2007-06-22 Vendor notification  
2007-07-02 2nd Vendor notification  
2007-07-05 Vendor response  
  
  
Remediation:  
  
Wordpress 2.2.2 will address this issue as well as others.   
  
  
Credit:  
  
This vulnerability was discovered by Nicholas Coblentz, a security  
consultant a Security PS (http://www.securityps.com).  
`