I just started using WordPress on a website that is required to be PCI compliant because of an installed shopping cart. When SecurityMetrics ran the quarterly scan yesterday the site failed because of an apparent issue with WordPress.
The tech from SecurityMetrics sent me this explanation of how he was able to replicate the failure:
Our scanner is seeing a URL redirect in place, which I am also able to see. However, our scanner believes that this is an issue because parts of the URL that we inject later go into the source code and operate directly on links on the page. In mydomain.com's case this is with the "Older Post" link, which includes parts of the originally requested URL, for example:
If I request http://mydomain.com/?www.nba.com then I get the home page. The homepage includes a link to this:
<a href="http://belairerecords.com/page/2/?www_nba_com" >Older posts «</a></p>
For "Older posts". I can see that this includes parts of my original request, yet there are compensating controls in place to protect against these attacks, like the periods were being changed into underscores. On mydomain.com's behalf I simply need an explanation of why this wouldn't be a vulnerability and any information you can send me to back-up that claim. I'll use this information on their behalf to have the issue lowered."
Now...as far as I can tell this is the way WordPress does its thing. I ran his test on a number of WP sites that I maintain on different hosts and ones that have been updated to the newest version along with a couple that were still running the previous version.
I don't know very much about PHP and its workings. Is there someone on here that explain to them why this is okay or do I need to stop using WordPress?
For further study, here's the actual failure message:
Synopsis : The remote web s erver allows redirects to arbitrary domains . Description: The remote web server is configured to redirect users using a HTTP 302, 303 or 307 response. However, the server can redirect to a domain that includes components included in the original request. A remote attacker could exploit this by crafting a URL which appears to res olve to the remote s erver, but redirects to a malicious location. See also : http://www.owas p.org/index.php/Phis hing http://www.technicalinfo.net/papers/Phishing.html Solution: Contact the web server vendor for a fix. Risk Factor: Medium / CVS S Base Score : 4.3 (CVS S 2#AV:N/AC:M/Au:N/C:N/I:P/A:N)