The vulnerability found could allow an attacker to redirect victims to an arbitrary 3rd party site. This site could be a phishing site or contain malware allowing the attacker to steal account credentials or compromise hosts. This vulnerability can be found in Wordpress 2.2, however it is likely that it exists in previous versions as well. Additional vulnerabilities may exist in the following areas due to the use of the problematic code: wp-includes/pluggable.php (lines 282 to 292) wp-includes/functions.php, wp_nonce_ays function (lines 1287 to 1313) Description: The wp-pass.php page can be used to redirect users to arbitrary third party sites. An attacker may use this vulnerability to redirect users to a phishing or malware site. Relevant Code: wp-pass.php (line 10) wp_redirect(wp_get_referer()); wp-includes/functions.php (line 1040 to 1045) function wp_get_referer() { foreach ( array($_REQUEST['_wp_http_referer'], $_SERVER['HTTP_REFERER']) as $ref ) if ( !empty($ref) ) return $ref; return false; } Exploit: http:///wp-pass.php?_wp_http_referer=http://ww w.EvilPhishingOrMalwareSite.com Since the function uses the $_REQUEST variable, this attack could also be executed using a cookie or post parameter named "_wp_http_referer" If this were a real attack, A link would be sent to users in an E-mail, IM, or other delivery message to trick users into visiting the link. Versions Affected: This vulnerability is likely present in several previous versions of Wordpress, however it was tested and verified in version 2.2.1 Vendor Response: The Wordpress team is currently working on addressing this issue and others in the 2.2.2 release of its blogging software. Disclosure Timeline: 2007-06-21 Discovery by Nick Coblentz of Security PS (http://www.securityps.com) 2007-06-22 Vendor notification 2007-07-02 2nd Vendor notification 2007-07-05 Vendor response Remediation: Wordpress 2.2.2 will address this issue as well as others. Credit: This vulnerability was discovered by Nicholas Coblentz, a security consultant a Security PS (http://www.securityps.com).The vulnerability found could allow an attacker to redirect victims to an arbitrary 3rd party site. This site could be a phishing site or contain malware allowing the attacker to steal account credentials or compromise hosts. This vulnerability can be found in Wordpress 2.2, however it is likely that it exists in previous versions as well. Additional vulnerabilities may exist in the following areas due to the use of the problematic code: wp-includes/pluggable.php (lines 282 to 292) wp-includes/functions.php, wp_nonce_ays function (lines 1287 to 1313) Description: The wp-pass.php page can be used to redirect users to arbitrary third party sites. An attacker may use this vulnerability to redirect users to a phishing or malware site. Relevant Code: wp-pass.php (line 10) wp_redirect(wp_get_referer()); wp-includes/functions.php (line 1040 to 1045) function wp_get_referer() { foreach ( array($_REQUEST['_wp_http_referer'], $_SERVER['HTTP_REFERER']) as $ref ) if ( !empty($ref) ) return $ref; return false; } Exploit: http:///wp-pass.php?_wp_http_referer=http://ww w.EvilPhishingOrMalwareSite.com Since the function uses the $_REQUEST variable, this attack could also be executed using a cookie or post parameter named "_wp_http_referer" If this were a real attack, A link would be sent to users in an E-mail, IM, or other delivery message to trick users into visiting the link. Versions Affected: This vulnerability is likely present in several previous versions of Wordpress, however it was tested and verified in version 2.2.1 Vendor Response: The Wordpress team is currently working on addressing this issue and others in the 2.2.2 release of its blogging software. Disclosure Timeline: 2007-06-21 Discovery by Nick Coblentz of Security PS (http://www.securityps.com) 2007-06-22 Vendor notification 2007-07-02 2nd Vendor notification 2007-07-05 Vendor response Remediation: Wordpress 2.2.2 will address this issue as well as others. Credit: This vulnerability was discovered by Nicholas Coblentz, a security consultant a Security PS (http://www.securityps.com).