[wp-hackers] Rethinking check_admin_referer()

Owen Winkler ringmaster at midnightcircus.com
Sat Apr 22 00:41:53 GMT 2006 

Paul Mitchell wrote:
> Robert Deaton wrote:
>> Still, all of this is irrelevant to the discussion, which has nothing
>> to do with cracking md5s or finding their collisions.
> Quite. My interest is rather more simple.
> 
> Given that WordPress is multi-user, nonces will be available to anyone
> entrusted with access to so-protected admin functions by the blog owner,
> who is presumably also the sole knower of the database password.

Yes.  And every nonce is unique to both the action intended and the user 
who is using it, and expires after no more than 24 hours.  Go ahead and 
try to use the nonce you see when you're logged in to insert a link in 
the admin on which someone else with admin access could click to cause 
an unintended action.  You can't.

If you had tried patching a test install and attempted this, you would 
already know that.

> I probably don't appreciate the scale of effort required to extracting
> data from nonces, but was the blog database password subject to
> cryptographic attack, theoretical or otherwise, prior to the
> introduction of the nonce? It was the use of the database password for
> something other than connecting to the database that caught my eye in
> the first place.

To answer your question directly, no.  Nor is it after the introduction 
of the nonces.

Now more than one person has answered this question more than once.  If 
you still don't believe what these people have said, then I suggest you 
read the several pages of reference they've provided along the way, and 
then review the patch that was presented so that you can ask a directed 
question.

It should be fairly plain by looking at the code that you can't get the 
database password from the nonce, and that the choice of md5 over some 
other hash doesn't make this any more or less secure.

I don't mind criticism, but I'm not keen on people alluding to severe 
security issues like revealing the database password without having 
something other than raw speculation to back it up.  Patch in this diff 
and test it, and when you find the vulnerability you're worried about, 
then we'll talk.

Owen

More information about the wp-hackers mailing list