[wp-hackers] Rethinking check_admin_referer()
Peter Westwood
peter.westwood at ftwr.co.uk
Tue Apr 18 21:02:20 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Jaquith wrote:
> On Apr 17, 2006, at 5:48 PM, Peter Westwood wrote:
>
>> You need to generate a nonce "per action" and have that stored within
>> the db - in say user meta information and timed out so that it doesn't
>> last forever otherwise it is next to useless as it allows for any type
>> multi pronged off line attack.
>>
>> For example with you solution one attack can get the key and another can
>> use it!
>
> Again, my question is: HOW can an attacker get the key if it is only
> showed on admin pages where the login has been validated via cookies?
> An attacker would have to trick a logged-in user into clicking a link
> that would give the attacker the key by extracting it from the
> document... but that's not a CSF attack, that's a XSS attack, and it is
> its own security vulnerability that has to be fixed by
> validating/filtering input data. And if you can inject a script, the
> current referer-based checks can be bypassed anyway.
>
You are right at present we don't know how they could get hold of the key.
But it is possible that in the future someone may fine a way - we are
not all perfect coders after all ;-)
This is why the key/nonce should have a limited usage period and
preferably be one-time only. So that _if_ in the future someone works
out a way of getting hold of it its use is severely limited.
westi
- --
Peter Westwood
http://blog.ftwr.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFERVPcVPRdzag0AcURAh9KAJ9emKPPLRfAdXE5AQqhHgGOBdkHwgCgpV6T
V0Kzr2i1zjFzhar9XGv9gUA=
=qCim
-----END PGP SIGNATURE-----
More information about the wp-hackers
mailing list