WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#4819 closed defect (bug) (fixed)

wp_redirect() Input Validation Bypass Vulnerability / Filter Bypass Vulnerability

Reported by: hakre Owned by:
Milestone: 2.0.12 Priority: normal
Severity: normal Version: 2.2.2
Component: Security Keywords: has-patch security validation-bypass input dev-reviewed
Focuses: Cc:

Description

While doing the analysis for #4606 it came to my attention that the input sanitization in wp_redirect() on header values containing %0a and %0d has a flaw. This is fixed by the attached patch. A proof of concept how to bypass %0a and %0d is trivial if you take a look into the changes so I did not publish it. Patch is as always against SVN but this applies to 2.2.2 as well. I have not checked this with older version, they might be affected as well.

Problem

The way wp_redirect() removes %0d and %0a from $location does not work properly.

Solution

It has to be checked for all char-sequences iterativly instead of only one-time per entity.

Attachments (1)

4819.patch (731 bytes) - added by hakre 7 years ago.
fix

Download all attachments as: .zip

Change History (9)

hakre7 years ago

fix

comment:1 hakre7 years ago

  • Component changed from General to Security

comment:2 hakre7 years ago

  • Keywords has-patch security validation-bypass input added

comment:3 markjaquith7 years ago

  • Keywords dev-reviewed added

Looks good to me. I tested with nested values like %0%0%0ada and it recursively killed them all.

+1

comment:4 foolswisdom7 years ago

  • Milestone changed from 2.2.3 to 2.3

comment:5 markjaquith7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [5990]) Better %0d/%0a sanitization for wp_redirect() from hakre. fixes #4819 for trunk

comment:6 markjaquith7 years ago

(In [5991]) Better %0d/%0a sanitization for wp_redirect() from hakre. fixes #4819 for 2.2.3

comment:7 markjaquith7 years ago

(In [5992]) Better %0d/%0a sanitization for wp_redirect() from hakre. fixes #4819 for 2.0.12

comment:8 markjaquith7 years ago

  • Milestone changed from 2.3 to 2.0.12
Note: See TracTickets for help on using tickets.