[wp-hackers] Rethinking check_admin_referer()

Matt Mullenweg m at mullenweg.com
Mon Apr 17 06:37:36 GMT 2006

Mark Jaquith wrote:
> Protecting the WordPress admin from CSF attacks with 
> check_admin_referer() is getting really old for me.  Many mobile 
> browsing devices go through a proxy that strips them, and more and more 
> people at home are getting "Internet security" suites that are stripping 
> them.  I had a client ask me "why is this happening?  I never had 
> problems like this with Movable Type."  Yeah, I could give him the whole 
> reason for it, but from his perspective it is just "this is annoying, 
> and I've only had this problem with WordPress."  And seeing that there 
> is a way around this that, I don't see why we shouldn't pursue it.

You could always disable for that client, in fact a plugin that did that 
would probably be popular. We just need protection in the core, partly 
so every wannabe security "researcher" doesn't scare our entire userbase 
every month.

> 1) function wp_secure_form($key='') { }
> This function would echo out a hidden from input with an md5 hash 
> computed on (a) the database password, (b) the userid, and (c) the 
> optional key.  This would give us a hash that is unique to the specific 
> WP user on that install, and optionally, specific to the particular task 
> being performed.  For example, for deleting a post, you could do 
> wp_secure_form('delete_post_' . $post_id); and it would be locked down 
> to the install, the user, the "delete" action, and that specific post.

Unfortunately this doesn't work, because it's trivial to fetch the page 
and grab the key/nonce before submitting the malicious request.

Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com

More information about the wp-hackers mailing list