[wp-hackers] Rethinking check_admin_referer()

John Joseph Bachir jjb at ibiblio.org
Tue Apr 18 02:56:34 GMT 2006

On Mon, 17 Apr 2006, Mark Jaquith wrote:

> On Apr 17, 2006, at 5:48 PM, Peter Westwood wrote:
>> You need to generate a nonce "per action" and have that stored within 
>> the db - in say user meta information and timed out so that it doesn't 
>> last forever otherwise it is next to useless as it allows for any type 
>> multi pronged off line attack.
>> For example with you solution one attack can get the key and another 
>> can use it!
> Again, my question is: HOW can an attacker get the key if it is only 
> showed on admin pages where the login has been validated via cookies? 
> An attacker would have to trick a logged-in user into clicking a link 
> that would give the attacker the key by extracting it from the 
> document... but that's not a CSF attack, that's a XSS attack, and it is 
> its own security vulnerability that has to be fixed by 
> validating/filtering input data.  And if you can inject a script, the 
> current referer-based checks can be bypassed anyway.

I think what Peter is at least partly addressing is some flavor of a brute 
force attack. Of course a simple brute force attack over the space of sha1 
or even md5 would take too long to be worth it. But if any of the pieces 
in the system are compromised, the range can be cut down considerably... 
for example if an exploit is found in the php random function, then the 
attacker can narrow down the possible hashes considerably. There are 
probably a few other brute-force-space-reduction potential opportunities 
that we could think of, and dozens of others that exist now or in the 

The way around this is to have access to the token on the server side 
involve authentication information. Then our token system cannot even be 
attempted to be exploited, or at least not without compromising the 
authentication system itself (stealing/intercepting cookies).

When Lyceum generates a token...

 	$token = sha1(uniqid(rand(), TRUE));
 	$key = sha1($targetscript.$action.$id.$userdata->ID);
 	$_SESSION['formtokens'][$key][$token] = time();

...the key to access the token is a hash that includeds the user id. So 
the tokens can only be accessed by a logged-in user, and the token system 
is as secure as the authentication system.

aim/yim/msn/jabber.org: johnjosephbachir

More information about the wp-hackers mailing list