[wp-hackers] Rethinking check_admin_referer()
John Joseph Bachir
jjb at ibiblio.org
Tue Apr 18 02:56:34 GMT 2006
On Mon, 17 Apr 2006, Mark Jaquith wrote:
> On Apr 17, 2006, at 5:48 PM, Peter Westwood wrote:
>> You need to generate a nonce "per action" and have that stored within
>> the db - in say user meta information and timed out so that it doesn't
>> last forever otherwise it is next to useless as it allows for any type
>> multi pronged off line attack.
>> For example with you solution one attack can get the key and another
>> can use it!
> Again, my question is: HOW can an attacker get the key if it is only
> showed on admin pages where the login has been validated via cookies?
> An attacker would have to trick a logged-in user into clicking a link
> that would give the attacker the key by extracting it from the
> document... but that's not a CSF attack, that's a XSS attack, and it is
> its own security vulnerability that has to be fixed by
> validating/filtering input data. And if you can inject a script, the
> current referer-based checks can be bypassed anyway.
I think what Peter is at least partly addressing is some flavor of a brute
force attack. Of course a simple brute force attack over the space of sha1
or even md5 would take too long to be worth it. But if any of the pieces
in the system are compromised, the range can be cut down considerably...
for example if an exploit is found in the php random function, then the
attacker can narrow down the possible hashes considerably. There are
probably a few other brute-force-space-reduction potential opportunities
that we could think of, and dozens of others that exist now or in the
The way around this is to have access to the token on the server side
involve authentication information. Then our token system cannot even be
attempted to be exploited, or at least not without compromising the
authentication system itself (stealing/intercepting cookies).
When Lyceum generates a token...
$token = sha1(uniqid(rand(), TRUE));
$key = sha1($targetscript.$action.$id.$userdata->ID);
$_SESSION['formtokens'][$key][$token] = time();
...the key to access the token is a hash that includeds the user id. So
the tokens can only be accessed by a logged-in user, and the token system
is as secure as the authentication system.
More information about the wp-hackers