#4819 closed defect (bug) (fixed)
wp_redirect() Input Validation Bypass Vulnerability / Filter Bypass Vulnerability
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 2.0.12 | Priority: | normal |
| Severity: | normal | Version: | 2.2.2 |
| Component: | Security | Keywords: | has-patch security validation-bypass input dev-reviewed |
| Focuses: | Cc: |
Description
While doing the analysis for #4606 it came to my attention that the input sanitization in wp_redirect() on header values containing %0a and %0d has a flaw. This is fixed by the attached patch. A proof of concept how to bypass %0a and %0d is trivial if you take a look into the changes so I did not publish it. Patch is as always against SVN but this applies to 2.2.2 as well. I have not checked this with older version, they might be affected as well.
Problem
The way wp_redirect() removes %0d and %0a from $location does not work properly.
Solution
It has to be checked for all char-sequences iterativly instead of only one-time per entity.
Attachments (1)
Change History (9)
Note: See
TracTickets for help on using
tickets.
fix