Ticket #4819 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

wp_redirect() Input Validation Bypass Vulnerability / Filter Bypass Vulnerability

Reported by: hakre Assigned to: anonymous
Priority: normal Milestone: 2.0.12
Component: Security Version: 2.2.2
Severity: normal Keywords: has-patch security validation-bypass input dev-reviewed
Cc: has-patch securtiy validation-bypassp input

Description

While doing the analysis for #4606 it came to my attention that the input sanitization in wp_redirect() on header values containing %0a and %0d has a flaw. This is fixed by the attached patch. A proof of concept how to bypass %0a and %0d is trivial if you take a look into the changes so I did not publish it. Patch is as always against SVN but this applies to 2.2.2 as well. I have not checked this with older version, they might be affected as well.

Problem

The way wp_redirect() removes %0d and %0a from $location does not work properly.

Solution

It has to be checked for all char-sequences iterativly instead of only one-time per entity.

Attachments

4819.patch (0.7 kB) - added by hakre on 08/26/07 13:08:58.
fix

Change History

08/26/07 13:08:58 changed by hakre

  • attachment 4819.patch added.

fix

08/26/07 13:11:18 changed by hakre

  • component changed from General to Security.

08/26/07 13:11:48 changed by hakre

  • keywords set to has-patch security validation-bypass input.

08/28/07 19:53:08 changed by markjaquith

  • keywords changed from has-patch security validation-bypass input to has-patch security validation-bypass input dev-reviewed.

Looks good to me. I tested with nested values like %0%0%0ada and it recursively killed them all.

+1

08/29/07 17:57:31 changed by foolswisdom

  • milestone changed from 2.2.3 to 2.3.

08/30/07 17:46:10 changed by markjaquith

  • status changed from new to closed.
  • resolution set to fixed.

(In [5990]) Better %0d/%0a sanitization for wp_redirect() from hakre. fixes #4819 for trunk

08/30/07 17:46:59 changed by markjaquith

(In [5991]) Better %0d/%0a sanitization for wp_redirect() from hakre. fixes #4819 for 2.2.3

08/30/07 17:47:35 changed by markjaquith

(In [5992]) Better %0d/%0a sanitization for wp_redirect() from hakre. fixes #4819 for 2.0.12

08/30/07 17:48:05 changed by markjaquith

  • milestone changed from 2.3 to 2.0.12.