Stealth Login Page
[resolved] Leaked stealth parameters (9 posts)

  1. congma
    Posted 3 years ago #

    I've found two cases where the stealth parameters could be leaked to the public.

    The first leak happens when the "Meta" widget is enabled. The "Log in" link under Meta reveals the stealth login page. I don't think this is the intended behavior.

    The second leak happens when an attacker visits /wp-login.php?action=register. If registration is disabled, the attacker will be redirected to the url /wp-login.php?stealth_q=stealth_a?registration=disabled with code 403. Malformed as it is, it puts the stealth question (stealth_q) and answer (stealth_a) in the open.


  2. John Parris
    Posted 3 years ago #

    It looks like the plugin is filtering site_url and adding the login parameters, which is revealing that info. That should probably be yanked from the plugin.

  3. Jesse Petersen
    Plugin Author

    Posted 3 years ago #

    That is the only way I know of to fulfill the request to fix the lost password link and the logout link from the admin bar - if you have any other idea how, I'm welcome to check it out.

    On the otherhand, someone concerned with security would be a big bonehead to even think of using the meta widget (duh!) and have open registration that wasn't secured any other way - several membership plugins add another layer of login URLs anyway.

  4. congma
    Posted 3 years ago #

    Thanks for your info Jesse. Now I temporarly worked around this with mod_rewrite kludging. Still hope for a clean solution though.

  5. Jesse Petersen
    Plugin Author

    Posted 3 years ago #

    Yes, there are a lot more URL options available if the .htaccess file is utilized, but it's clear in the plugin description that it's not - also pure nginx environments don't have .htaccess files, so that needed to be steered clear of.

  6. John Parris
    Posted 3 years ago #

    Thanks for the clarification.

    Thinking out loud here.

    I think you could work it so that the site_url filter only happens under these conditions:

    1) The user actually makes it to the wp-login.php page by knowing the question and answer. This would take care of the password reset link.

    2) The user is already logged in. This would take care of the admin bar logout link.

    I'm with you on the meta widget thing. It doesn't make sense to use it if you're trying to hide the login page anyway.

    I haven't looked at the registration thing, but you might be able to stop that by implementing #1 above. Which I think (haven't tested) could be done by only adding that filter if the login_init hook fires and they made it to the login page.

  7. Jesse Petersen
    Plugin Author

    Posted 3 years ago #

    Right - for WP 3.6, I'm looking into these 2 functions:


    I think you might be onto something with the conditional filter. Thanks for poking my brain. I'll see what I can code on the airplane Thurs on a local copy of WP 3.6 and test it out later that night.

  8. congma
    Posted 3 years ago #

    Hi Jesse,

    A new leak found. When an unauthenticated user (presumably malicious attacker) tries to access /wp-admin, he will be redirected to the authentication page /wp-login.php?stealth_q=stealth_a&redirect_to=[wp-admin]&reauth=1 (here stealth_q and stealth_a are again the stealth question and answer, and the bracketed part is actually the percent-encoded full url of the admin page).

    Any suggestions about preventing this kind of leak?



  9. congma
    Posted 3 years ago #

    Temporarily using the "Lockdown WP Admin" plugin to block unauthenticated access to the admin page altogether.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Stealth Login Page
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.