Opened 14 months ago
Closed 14 months ago
#60333 closed defect (bug) (invalid)
Host Header Injection Vulnerability in /wp-content Folder
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 6.4 |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
Hi,
A security issue has been identified during recent testing on my wordpress website.
Issue Description:
Host Header Injection vulnerability has been detected in the '/wp-content' folder. During testing with the Burp Suite tool, an attempt to request data from '/wp-content' (without a trailing slash) was made, and the response received was a '301 redirect'. Ideally, the response should be a '403 Forbidden' or '404 Not Found'.
Testing Scenario:
- The tester utilized the Burp Suite tool.
- A request for data from '/wp-content' (without trailing slash) was made.
- The Host name was changed (e.g., www.example.com).
- The response received was a '301 redirected', which is not the expected behavior.
Can anyone help me to get rid of this issue?
Thanks
Attachments (1)
Change History (5)
#2
@
14 months ago
- Component changed from Security to General
Hi @roytanck, Thanks for your reply. I know this might not be a security issue, but is there any possibility we can fix this with the .htaccess file if we don't have access to the server?
Thanks
#3
@
14 months ago
If you have access the the vhost configuration files on the server, you may be able to set things up as described here: https://stackoverflow.com/a/73697872 .
To me, it looks like things work as intended, and I would simply leave it as is.
#4
@
14 months ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Severity changed from critical to normal
- Status changed from new to closed
@manishn Hello and welcome to trac.
The redirect you are seeing is generated by Apache rather than WordPress. Apache generates a 301 redirect when a directory is requested without a trailing slash.
The Apache configuration will determine the domain to redirect to and WordPress has no control over this. WordPress is unable to make assumptions about requests to directories as it would break sites that include both WordPress and static files.
I've closed this ticket as invalid, in this case that's because there is nothing WordPress can do to manage server configurations. I suggest you contact your hosting company if you are seeing unexpected redirects.
Hi @manishn. Thank you for creating this ticket. Please be aware that security vulnerabilities should not be reported on Trac. See https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/ .
That being said, I'm not sure this is actually a security issue. In most server setups, there is a site that is the default. It handles all requests except the ones that have a HOST header that corresponds to a known other virtual host on the server.
My guess is that your request is sent to this default site. This would explain why no 404 occurs. For the path
/wp-content, the 301 then occurs because WP redirects folders without a trailing slash to the "slashed" version. In this case, that is/wp-content/, which contains an empty index.html file.