[wp-hackers] Rethinking check_admin_referer()
Mark Jaquith
mark.wordpress at txfx.net
Tue Apr 18 10:30:44 GMT 2006
On Apr 18, 2006, at 5:03 AM, Paul Mitchell wrote:
> Anyway, this "flaw in the current system" is nuclear. It allows a
> trivial remotely-exploitable escalation of privilege with ultimate
> destructive power.
On Apr 18, 2006, at 5:11 AM, David House wrote:
> No need to be able to create drafts.
Okay, so more than just an annoyance for people who aren't sending
HTTP referrers. Using a key solves this, by locking things down to
the blog/user/action/object level. I don't see the point of using a
nonce... if you can intercept the key, you have already compromised
the blog. In addition, the use of nonces would create a DB write on
every access of a wp-admin <form>... not exactly ideal.
The way I see it, using keys is more secure and it works for every
browser/internet-"security"-suite. It is essentially what WP uses to
protect AJAX requests (it sends along bits of the login cookie, which
is the same concept of "pass along information that is only provided
to a logged-in user.")
I'm still curious what Matt meant by this... it's the only thing
stopping me from writing the patch:
On Apr 17, 2006, at 2:37 AM, Matt Mullenweg wrote:
> Unfortunately this doesn't work, because it's trivial to fetch the
> page and grab the key/nonce before submitting the malicious request.
I sure hope that's not true!
--
Mark Jaquith
http://txfx.net/
More information about the wp-hackers
mailing list