Sunday 4 May 2014

WordPress Website Login Page Covert Redirect Security Bugs Based on Google.com
















WordPress Website Login Page Covert Redirect Security Bugs Based on Google.com



(1) Domain:

wordpress.com


"Open source WordPress is the most popular online publishing platform, currently powering more than 20% of the web. We wanted to bring the WordPress experience to an even larger audience, so in 2005 we created WordPress.com. We’re a hosted version of the open source software. Here, you can start a blog or build a website in seconds without any technical knowledge. Overall, the WordPress.com network welcomes more than 409 million people viewing more than 15.5 billion pages each month. Our users publish about 41.7 million new posts and leave 60.5 million new comments each month." (https://wordpress.com/about/)








(2) Vulnerability Description:

Wordpress web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 




The vulnerability occurs at "wp-login.php?" page with "redirect_to" parameter, i.e.
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.google.com [1]



When a user click the URL ([1]) above, the "WordPress login" page appears. The user needs to enter his/her username and password. When this is done, the user is redirected to a webpage belonging to WordPress.


However, it seems that "wp-login.php" in "wordpress.com" allows some other domains, i.e.
google.com.


Now, a user could be redirected from "wp-login.php" to a URL in Google first and later be redirected from Google to a malicious site. This is as if being redirected from WordPress directly.






(2.1) Use one of webpages for the following tests. The webpage address is "https://redysnowfox.wordpress.com/". Can suppose that this webpage is malicious.




Vulnerable URL:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.wordpress.com




POC:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fgoogle.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0CCoQFjAA%26url%3Dhttp%253A%252F%252Fwww.tetraph.com%252F%26ei%3DFSMgU-bSCOewiQfu5IDoAg%26usg%3DAFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg%26sig2%3D_ALzlmyIx3EfHwaNUBBI_Q






POC video:
https://www.youtube.com/watch?v=CxJ3jBAupsk


Blog Detail:
http://tetraph.blogspot.com/2014/05/wordpress-covert-redirect-vulnerability.html








(3) What is Covert Redirect? 

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.


Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. 








Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)







1 comment:

  1. I never comment on blogs but your article is so best that I never stop myself to say something about it. You’re amazing Man, I like it Wordpress Bugs... Keep it up

    ReplyDelete