[wp-hackers] Rethinking check_admin_referer()

Sam Angove sam at rephrase.net
Mon Apr 17 12:09:25 GMT 2006

On 4/17/06, Mark Jaquith <mark.wordpress at txfx.net> wrote:
> On Apr 17, 2006, at 2:37 AM, Matt Mullenweg wrote:
> > Unfortunately this doesn't work, because it's trivial to fetch the
> > page and grab the key/nonce before submitting the malicious request.
> How could this be done without <script> injection (a security problem
> in its own right)?  It may just be that it is 4am, but without
> injection of a malicious script, in which case the security breach
> has already occurred, I can't see how you are going to load the page
> as the authenticated user and extract the key.

Yeah. This kind of token is suggested by pretty much everyone,
including the PHP Security Consortium[1], so there's been a lot of
experienced eyes that haven't found a problem. (And if there *is* a
working exploit, the wider community really, really needs to know
about it.)

The JavaScript security model shouldn't allow the external page
content to be read unless the attack is from the same domain, and CSRF
is the least of your worries if you have a script injection problem.

[1]:  http://phpsec.org/projects/guide/2.html

More information about the wp-hackers mailing list