[wp-hackers] Rethinking check_admin_referer()
mark.wordpress at txfx.net
Tue Apr 18 01:26:59 GMT 2006
On Apr 17, 2006, at 5:48 PM, Peter Westwood wrote:
> You need to generate a nonce "per action" and have that stored within
> the db - in say user meta information and timed out so that it doesn't
> last forever otherwise it is next to useless as it allows for any type
> multi pronged off line attack.
> For example with you solution one attack can get the key and
> another can
> use it!
Again, my question is: HOW can an attacker get the key if it is only
showed on admin pages where the login has been validated via
cookies? An attacker would have to trick a logged-in user into
clicking a link that would give the attacker the key by extracting it
from the document... but that's not a CSF attack, that's a XSS
attack, and it is its own security vulnerability that has to be fixed
by validating/filtering input data. And if you can inject a script,
the current referer-based checks can be bypassed anyway.
More information about the wp-hackers