注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

Tetraph 的博客

IT 计算机网络信息安全技术 数学 统计 云计算 安全漏洞 日常随笔 散文 音乐

 
 
 

日志

 
 

WordPress Website Login Page Covert Redirect Security Bugs Based on Google.com  

2014-05-05 11:12:55|  分类: Covert Redirect |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
WordPress Website Login Page Covert Redirect Security Bugs Based on Google.com - tetraph - Tetraph  的博客
 

 

WordPress Website Login Page Covert Redirect Security Bugs Based on Google.com

 

 


(1) Domain:
wordpress.com

 

 

"Open source WordPress is the most popular online publishing platform, currently powering more than 20% of the web. We wanted to bring the WordPress experience to an even larger audience, so in 2005 we created WordPress.com. We’re a hosted version of the open source software. Here, you can start a blog or build a website in seconds without any technical knowledge. Overall, the WordPress.com network welcomes more than 409 million people viewing more than 15.5 billion pages each month. Our users publish about 41.7 million new posts and leave 60.5 million new comments each month." (https://wordpress.com/about/)

 

 

 

 

(2) Vulnerability Description:

Wordpress web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 



The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

 

The vulnerability occurs at "wp-login.php?" page with "redirect_to" parameter, i.e.

http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.google.com [1]

 

When a user click the URL ([1]) above, the "WordPress login" page appears. The user needs to enter his/her username and password. When this is done, the user is redirected to a webpage belonging to WordPress.

 

However, it seems that "wp-login.php" in "wordpress.com" allows some other domains, i.e.
google.com.

 

Now, a user could be redirected from "wp-login.php" to a URL in Google first and later be redirected from Google to a malicious site. This is as if being redirected from WordPress directly.

 

 

 

 

(2.1) Use one of webpages for the following tests. The webpage address is "https://redysnowfox.wordpress.com/". Can suppose that this webpage is malicious.

 

Vulnerable URL:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.wordpress.com

 

POC:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fgoogle.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0CCoQFjAA%26url%3Dhttp%253A%252F%252Fwww.tetraph.com%252F%26ei%3DFSMgU-bSCOewiQfu5IDoAg%26usg%3DAFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg%26sig2%3D_ALzlmyIx3EfHwaNUBBI_Q

 


POC video:
https://www.youtube.com/watch?v=CxJ3jBAupsk



Blog Detail:
http://tetraph.blogspot.com/2014/05/wordpress-covert-redirect-vulnerability.html







(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 
 

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. 

 
 
 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 
 
 
 
 
 
  评论这张
 
阅读(111)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017