CVE-2004-1584

Vulnerability

WordPress 1.2 contains a CRLF injection vulnerability in wp-login.php. The text parameter is not sanitized, allowing an attacker to inject carriage return and line feed characters (%0d%0a). This enables HTTP response splitting, where the attacker can prematurely terminate the legitimate HTTP response and inject an arbitrary second response [1]. Versions prior to 1.2.1 are affected [2].

Exploitation

An attacker sends a crafted POST request to wp-login.php with parameters action=login&mode=profile&log=USER&pwd=PASS and includes malicious CRLF sequences and a fake HTTP response in the text parameter [1]. The attacker must have valid user credentials to reach the vulnerable code path (the text parameter is handled after authentication) [1]. The injected response can include arbitrary content, such as a defacement message or a redirect to a malicious site [1].

Impact

Successful exploitation allows the attacker to perform HTTP response splitting. This can lead to content spoofing, web cache poisoning, and potentially cross-site scripting (XSS) by injecting arbitrary HTML or JavaScript that will be served to other users [1][3]. The attacker gains the ability to manipulate the content delivered by the server to the victim's browser, which may be trusted due to the origin domain [3].

Mitigation

The vulnerability is fixed in WordPress version 1.2.1 [2]. Users should upgrade to 1.2.1 or later. Gentoo Linux users can upgrade to >=www-apps/wordpress-1.2.2 [3]. No workaround is available for version 1.2 [3]. The vendor was notified and released the fix shortly after disclosure [2]. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.