Advisory - Redirection Vulnerability in wp-login.php.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Advisory - Redirection Vulnerability in wp-login.php.
From: Metaeye SG <contact@xxxxxxxxxxx>
Date: Tue, 20 Mar 2007 20:31:03 +0530
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Metaeye SG
Reply-to: contact@xxxxxxxxxxx
User-agent: Mail/News 1.5.0.9 (X11/20070124)

Vendor
------
Wordpress (http://www.wordpress.org).

Severity
--------
Moderate.

Dated
-----
03 March 2007.

Versions Affected
-----------------
All.

Issue
-----

The wp-login.php page redirects a user to arbitrary page after
successful login by setting the redirect_to url parameter.

For example if a user logins successfully with his credentials
on the following page

http://www.foo.com/wp-login.php?redirect_to=http://www.google.co.in

He will be redirected to www.google.co.in.

Impact
------

This can lead to credentials stealing. Also cookie stealing
is possible coupled with some browser bugs.

Vendor Status
-------------
Reported on 03 March 2007. Fix will be made available in next version.

--
MSG // http://www.metaeye.org

Prev by Date: Re: WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include
Next by Date: w-agora [multiples file upload,xss,full path disclosure,error sql]
Previous by thread: Web Wiz Forums 8.05 (MySQL version) SQL Injection
Next by thread: w-agora [multiples file upload,xss,full path disclosure,error sql]
Index(es):
- Date
- Thread