[wp-hackers] Rethinking check_admin_referer()

Mon Apr 17 13:44:14 GMT 2006

Mark Jaquith wrote:
> Sorry for the double post, but please see this thread from last year 
> that died on the vine:
> 
> http://comox.textdrive.com/pipermail/wp-hackers/2005-August/002391.html
> 
> Several developers seemed to be in favor of the idea, including Matt and 
> Owen, so with a couple of +1s to let me know that your opinion on the 
> matter hasn't changed, and I'll proceed with the patch as soon as I have 
> time.

I still think this is a good idea, but...

This is going to kill a lot of plugins; pretty much anything that uses 
an options page.  So what can be done to mitigate that?

My first thought is that the real problem around which all of this is 
base is executing actions in the admin without performing a 
confirmation.  For example, you click on an unobtrusive link on a 
foreign site that sends you back to your own site's admin to delete post 
#327.  If there is no confirmation for this action, then your site is 
vulnerable.

So the first thing we should be doing is confirming every action that 
could be accessed externally.  This is really freaking annoying, as I've 
noticed with deleting moderated comments from email in 2.1, since I 
didn't have to confirm those in < 2.1 and now I do.

Supposing we could add the action-based nonces to URLs as Mark 
describes, we could avoid some of that pain.

Perhaps a generic check could be performed in admin.php that looks for 
the nonce, and if not found, redirects to a generic confirmation page. 
The confirmation page could build a $_POST/$_GET form (based on the 
original request) that uses the originally submitted values.  It would 
simply ask, "Are you sure you want to do this?"  And if the user clicks 
"OK" then it submits the form on to the originally intended script with 
an appropriate nonce.

That would mitigate some of the plugin breakage, since any plugin that 
didn't build the nonce into its own requests would pass through this 
confirmation.  It also saves from having to immediately add the nonce 
building code to every admin page.  And if this check is centralized, 
then the admin pages and plugins need only worry about appending it to 
their form input, not necessarily checking for it themselves.  (Although 
exposing the function that does so would be useful for plugins with Ajax 
requests that wouldn't pass through that verification code.)

I don't see a way that external sites can scrape the nonces from the 
admin pages, since you would need to be logged in to do that.  It would 
be especially difficult if the nonces were encoded by user id, because 
using someone else's "delete all posts" link would force a confirmation 
on you.  So even if someone else scraped their nonce from your site's 
admin pages, their links would still require a confirmation from you, 
since you're not using your own unique nonce.

Owen