[wp-hackers] Rethinking check_admin_referer()

Mark Jaquith mark.wordpress at txfx.net
Wed Apr 19 02:45:17 GMT 2006

On Apr 18, 2006, at 9:06 AM, Owen Winkler wrote:

> Eh.  I'm still not crazy about the idea of having the individual  
> admin pages validate themselves by calling this checking function.   
> For one, it implies that there is someplace in the admin that  
> people should be able to go without a key, and I can't think of  
> anyplace like that.  For another, any place accidentally missing  
> the check becomes an instant vulnerability.

Missing the current referer check becomes an instant vulnerability.   
AFAIK we still have a few of these in 2.0.2 ... so that's nothing new.

And there are places that people should be able to go without a  
key... idempotent requests shouldn't require a key... as "tricking"  
someone into going there shouldn't **do** anything but show them that  
screen.  If it **does** do something, you're talking about <script>  
injection, which is a separate issue.

I'm just suggesting that a unique user-specific, action-specific and  
option-specific key be used to validate forms, instead of checking  
the HTTP referer, because it will be more user friendly, while not  
decreasing the level of security in any way.

> And finally, by adding it to a generic "in the admin" script, it  
> allows the keys to be used when accessing plugin option pages  
> without necessarily modifying any existing plugins.  (In the case  
> of options.php?page=X, by doing the verification in the options.php  
> page, which indirectly handles the inclusion of the plugin.)  It  
> will simply require plugin authors who want their option pages to  
> circumvent the "Are you sure?" messages to add the nonce generator  
> as part of their form submission.  Without the key, an "Are you  
> sure?" form should appear that when submitted forwards the request  
> on in the same manner as the original form, but with the  
> appropriate key.

I was thinking that it could fall back on the referer check for  
plugins that haven't been updated, but your idea sounds good too.   
Maybe they could be combined:

1) check key/nonce
2) if not provided, check HTTP referer
3) if HTTP referer isn't from the admin, present "are you sure" dialog

Of course, this would require that we remain vigilant about non- 
idempotent GET requests, lest we open ourselves to a vulnerability in  
the form of malicious links/images inside drafts or comments... but  
it would make the transition very smooth.

Mark Jaquith

More information about the wp-hackers mailing list