[wp-hackers] Rethinking check_admin_referer()
Matt Mullenweg
m at mullenweg.com
Mon Apr 17 06:37:36 GMT 2006
Mark Jaquith wrote:
> Protecting the WordPress admin from CSF attacks with
> check_admin_referer() is getting really old for me. Many mobile
> browsing devices go through a proxy that strips them, and more and more
> people at home are getting "Internet security" suites that are stripping
> them. I had a client ask me "why is this happening? I never had
> problems like this with Movable Type." Yeah, I could give him the whole
> reason for it, but from his perspective it is just "this is annoying,
> and I've only had this problem with WordPress." And seeing that there
> is a way around this that, I don't see why we shouldn't pursue it.
You could always disable for that client, in fact a plugin that did that
would probably be popular. We just need protection in the core, partly
so every wannabe security "researcher" doesn't scare our entire userbase
every month.
> 1) function wp_secure_form($key='') { }
>
> This function would echo out a hidden from input with an md5 hash
> computed on (a) the database password, (b) the userid, and (c) the
> optional key. This would give us a hash that is unique to the specific
> WP user on that install, and optionally, specific to the particular task
> being performed. For example, for deleting a post, you could do
> wp_secure_form('delete_post_' . $post_id); and it would be locked down
> to the install, the user, the "delete" action, and that specific post.
Unfortunately this doesn't work, because it's trivial to fetch the page
and grab the key/nonce before submitting the malicious request.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
More information about the wp-hackers
mailing list