[wp-hackers] Rethinking check_admin_referer()

Peter Westwood peter.westwood at ftwr.co.uk
Tue Apr 18 21:02:20 GMT 2006

Hash: SHA1

Mark Jaquith wrote:
> On Apr 17, 2006, at 5:48 PM, Peter Westwood wrote:
>> You need to generate a nonce "per action" and have that stored within
>> the db - in say user meta information and timed out so that it doesn't
>> last forever otherwise it is next to useless as it allows for any type
>> multi pronged off line attack.
>> For example with you solution one attack can get the key and another can
>> use it!
> Again, my question is: HOW can an attacker get the key if it is only
> showed on admin pages where the login has been validated via cookies? 
> An attacker would have to trick a logged-in user into clicking a link
> that would give the attacker the key by extracting it from the
> document... but that's not a CSF attack, that's a XSS attack, and it is
> its own security vulnerability that has to be fixed by
> validating/filtering input data.  And if you can inject a script, the
> current referer-based checks can be bypassed anyway.

You are right at present we don't know how they could get hold of the key.

But it is possible that in the future someone may fine a way - we are
not all perfect coders after all ;-)

This is why the key/nonce should have a limited usage period and
preferably be one-time only.  So that _if_ in the future someone works
out a way of getting hold of it its use is severely limited.

- --
Peter Westwood
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the wp-hackers mailing list