Finding the hidden login page

  • It is possible to bypass the login page protection by URL-encoding characters in the wp-login.php file.

    In order to reproduce this issue, open the following file in Firefox or by using a web proxy:

    wp-login%2ephp

    After opening this file, it is also possible to find the hidden name by looking at the links on the page.

    Thanks for fixing this in advance.

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 13 replies - 1 through 13 (of 13 total)
  • Thread Starter @irsdl

    (@irsdl)

    Please can you update me on the state of this issue? This is a security bug in your product.

    One question:
    if i put this url into chrome it works as you should expect, that is it returns a not_found:
    https://mysite.com/wp-login%2ephp
    if i put it into firefox, it does indeed open up the wp-login.php dialog and anyone can log in without ever knowing the “secret” address.

    Why do the two seem to behave differently?

    Thread Starter @irsdl

    (@irsdl)

    The difference is the automatic decoding in Google Chrome.

    Instead of Mozilla Firefox you can use web proxies such as Fiddler, ZAP, or Burp Suite to get the same result.

    As long as the request sends with the encoded values(for instance, “%25” instead of the “.” sign), it will work fine.

    iTSec code performs the following check:

    strpos( $_SERVER[‘REQUEST_URI’], ‘wp-login.php’ )

    Perhaps this will fix the security hole on the server side ?

    strpos( rawurldecode($_SERVER[‘REQUEST_URI’]), ‘wp-login.php’ )

    dwinden

    Thread Starter @irsdl

    (@irsdl)

    I think this should fix the encoding bypass issue.

    Tested and indeed it works …
    Using rawurldecode($_SERVER[‘REQUEST_URI’]) will take care of any url encoded variant of “wp-login.php” such as:

    wp-login%2e.php
    wp%2dlogin.php
    wp%2dlogin%2ephp
    %77%70%2D%6C%6F%67%69%6E%2E%70%68%70

    Still wondering whether there is anything we can do about this in .htaccess …
    A RewriteRule in .htaccess might save us from changing php code …
    Or perhaps this should be fixed in .htaccess and php code ?

    dwinden

    This is serious and the fix must be included in the plugin. Any official answer?

    Why has this still not be included in ithemes security plugin?

    I’ve had a slew of attempted logins today on two of my sites using this plugin’s hidden login URL feature, so I started Googling for potential vulnerabilities and found this page.

    This really is a crucial security hole that needs to be patched.

    Just apply the following to the .htaccess file and it will stop the page from loading.

    <Files “wp-login.php”>
    Order Allow,Deny
    Deny from all
    </Files>

    and you should still be able to access your “secret” URL

    Yes, that works for Apache < 2.3.x

    For Apache > 2.2.x use:

    <Files “wp-login.php”>
    Require all denied
    </Files>

    dwinden

    But unregardless the Apache version the “secret” URL no longer works …

    dwinden

    The secret url doesn’t work for me either with the htaccess mod

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Finding the hidden login page’ is closed to new replies.

Tags