WordPress.org

Support

Support » Plugins and Hacks » Stealth Login Page » [Resolved] Leaked stealth parameters

[Resolved] Leaked stealth parameters

  • I’ve found two cases where the stealth parameters could be leaked to the public.

    The first leak happens when the “Meta” widget is enabled. The “Log in” link under Meta reveals the stealth login page. I don’t think this is the intended behavior.

    The second leak happens when an attacker visits /wp-login.php?action=register. If registration is disabled, the attacker will be redirected to the url /wp-login.php?stealth_q=stealth_a?registration=disabled with code 403. Malformed as it is, it puts the stealth question (stealth_q) and answer (stealth_a) in the open.

    http://wordpress.org/extend/plugins/stealth-login-page/

Viewing 8 replies - 1 through 8 (of 8 total)
  • It looks like the plugin is filtering site_url and adding the login parameters, which is revealing that info. That should probably be yanked from the plugin.

    Plugin Author Jesse Petersen

    @peterdog

    That is the only way I know of to fulfill the request to fix the lost password link and the logout link from the admin bar – if you have any other idea how, I’m welcome to check it out.

    On the otherhand, someone concerned with security would be a big bonehead to even think of using the meta widget (duh!) and have open registration that wasn’t secured any other way – several membership plugins add another layer of login URLs anyway.

    Thanks for your info Jesse. Now I temporarly worked around this with mod_rewrite kludging. Still hope for a clean solution though.

    Plugin Author Jesse Petersen

    @peterdog

    Yes, there are a lot more URL options available if the .htaccess file is utilized, but it’s clear in the plugin description that it’s not – also pure nginx environments don’t have .htaccess files, so that needed to be steered clear of.

    Thanks for the clarification.

    Thinking out loud here.

    I think you could work it so that the site_url filter only happens under these conditions:

    1) The user actually makes it to the wp-login.php page by knowing the question and answer. This would take care of the password reset link.

    2) The user is already logged in. This would take care of the admin bar logout link.

    I’m with you on the meta widget thing. It doesn’t make sense to use it if you’re trying to hide the login page anyway.

    I haven’t looked at the registration thing, but you might be able to stop that by implementing #1 above. Which I think (haven’t tested) could be done by only adding that filter if the login_init hook fires and they made it to the login page.

    Plugin Author Jesse Petersen

    @peterdog

    Right – for WP 3.6, I’m looking into these 2 functions:

    http://codex.wordpress.org/Function_Reference/is_user_logged_in
    http://codex.wordpress.org/Function_Reference/check_admin_referer

    I think you might be onto something with the conditional filter. Thanks for poking my brain. I’ll see what I can code on the airplane Thurs on a local copy of WP 3.6 and test it out later that night.

    Hi Jesse,

    A new leak found. When an unauthenticated user (presumably malicious attacker) tries to access /wp-admin, he will be redirected to the authentication page /wp-login.php?stealth_q=stealth_a&redirect_to=[wp-admin]&reauth=1 (here stealth_q and stealth_a are again the stealth question and answer, and the bracketed part is actually the percent-encoded full url of the admin page).

    Any suggestions about preventing this kind of leak?

    Thanks,

    Cong.

    Temporarily using the “Lockdown WP Admin” plugin to block unauthenticated access to the admin page altogether.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘[Resolved] Leaked stealth parameters’ is closed to new replies.
Skip to toolbar