The hidden URL can be bypassed in Firefox

  • Resolved Nephalem

    (@nephalem)


    7 years, 9 months ago

    Under normal circumstances, the hidden URL prevents people from finding the login page, as it supposed to be, but there’s a very simple way to bypass this security in Mozilla Firefox. Instead of typing this:

    http://www.mysite.com/wps-login.php (which is futile),

    you can use a coded version of this URL:

    http://www.mysite.com/%77%70%2D%6C%6F%67%69%6E.%70%68%70

    …and your browser will display the hidden URL login page. It looks like a security glitch. Firefox resolves the encoded URL in such a way that your WPS Hide Login lets the resolved URL go through like a correct hidden URL.

    This is confirmed on Mozilla Firefox. Other browsers (like MSIE) can’t use this method for revealing the correct hidden login page. I would like to see if other people can confirm this behavior as well.

    https://wordpress.org/plugins/wps-hide-login/

Viewing 2 replies - 16 through 17 (of 17 total)
1 2
  • David Burkhart

    (@dlburkhart)

    6 years, 6 months ago

    I would like to see a fake login page accessed thru wp-admin or wp-login.php which would give the default error message for a bad password regardless of what is provided. If you just hide a door, burglars will look for it. But, if you also present a door that leads nowhere, all efforts will be focused on getting in that door instead of the real one.

    Remy Perona

    (@tabrisrp)

    6 years, 6 months ago

    The encoded version should not be redirecting to the login URL since version 1.2.1

Viewing 2 replies - 16 through 17 (of 17 total)
1 2
  • The topic ‘The hidden URL can be bypassed in Firefox’ is closed to new replies.

Tags