wp_redirect() Input Validation Bypass Vulnerability / Filter Bypass Vulnerability
|Reported by:||hakre||Owned by:|
|Component:||Security||Keywords:||has-patch security validation-bypass input dev-reviewed|
While doing the analysis for #4606 it came to my attention that the input sanitization in wp_redirect() on header values containing %0a and %0d has a flaw. This is fixed by the attached patch. A proof of concept how to bypass %0a and %0d is trivial if you take a look into the changes so I did not publish it. Patch is as always against SVN but this applies to 2.2.2 as well. I have not checked this with older version, they might be affected as well.
The way wp_redirect() removes %0d and %0a from $location does not work properly.
It has to be checked for all char-sequences iterativly instead of only one-time per entity.