Elliott C. Back: Internet & Technology

Wordpress Vulnerability (1.2)

Posted in My Blog by Elliott Back on December 3rd, 2004.

Take a look at lines 77-79 of wp-login.php:

//If someone has moved WordPress let's try to detect it
if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) != get_settings('siteurl') )
update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) );

In combination with .htaccess rewrites, this could change the siteurl stored parameter of your installation to some other value. This code should probably go after the user if logged in on line 174. The IT Kitchen had a hack because of this. See Turnip’s .htaccess solution.

This blog uses an explicit www subdomain, so I neither need the offending code, nor an .htaccess rewrite rule. http://elliott… and www.elliott… both get me to the same physical path.

This entry was posted on Friday, December 3rd, 2004 at 3:58 pm and is tagged with rewrite rule, server request, physical path, host server, http server, htaccess, siteurl, vulnerability, hack, request uri, blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

One Response to “Wordpress Vulnerability (1.2)”

  1. Meqif says:
    12/4/2004 at 9:17 am

    Wordpress 1.3 also suffers from this vulnerability. Thanks for posting that, otherwise I wouldn’t have “patched” (well, I just deleted those lines, it’s safer this way) my WP. ;)

    Reply

Leave a Reply

Powered by WP Hashcash